Re: [fw-wiz] Random and strange RST,ACKs

[Chris Myers <clmmacunix@charter.net>]

The peculiar part is your dst port is 88. Are you port forwarding  
your http to 88, if so, there is no real need for this as it is not  
more secure. Are there other clients using port 88 that are working?  
If not, then the backend machine is doing its job.

clmmacunix

On Mar 1, 2007, at 1:15 PM, Phil Hunter wrote:

> Eduardo Tongson wrote:
>> ---------- Forwarded message ----------
>> From: Eduardo Tongson <propolice@gmail.com>
>> Date: Feb 28, 2007 6:07 PM
>> Subject: Random and strange RST,ACKs
>> To: pf@benzedrine.cx
>> Hi folks,
>> I have this peculiar problem where the client over http is having
>> intermittent reset and timeouts. Doing a dump on the session I see
>> strange and random RST,ACKs. Here is a
>> snip:
>>
>> No.     Time        Source       Destination           Protocol Info
>>      54 15.291306   CLIENT       SERVER         TCP      4813 > 88
>> [ACK] Seq=2857 Ack=7738 Win=64512 Len=0
>>      55 15.303536   CLIENT       SERVER         TCP      4813 > 88
>> [ACK] Seq=2857 Ack=9040 Win=64512 Len=0
>>      56 15.393751   CLIENT       SERVER         KRB5
>> Continuation[Unreassembled Packet]
>>      57 15.394190   SERVER         CLIENT       KRB5
>> Continuation[Unreassembled Packet]
>>      58 15.482484   CLIENT       SERVER         TCP      4814 > 88
>> [ACK] Seq=2117 Ack=8350 Win=64042 Len=0
>>      59 15.583039   CLIENT       SERVER         TCP      4813 > 88
>> [ACK] Seq=3337 Ack=9275 Win=64277 Len=0
>>      60 17.114978   CLIENT       SERVER         KRB5
>> Continuation[Unreassembled Packet]
>>      61 17.116075   CLIENT       SERVER         TCP      4814 > 88
>> [RST, ACK] Seq=2446 Ack=8350 Win=0 Len=0
>>      62 17.116481   SERVER         CLIENT       KRB5
>> Continuation[Unreassembled Packet]
>>      63 17.116585   SERVER         CLIENT       KRB5
>> Continuation[Unreassembled Packet]
>>      64 17.116694   SERVER         CLIENT       KRB5
>> Continuation[Unreassembled Packet]
>>      65 17.116703   SERVER         CLIENT       TCP      [TCP segment
>> of a reassembled PDU]
>>      66 17.214855   CLIENT       SERVER         TCP      4815 > 88
>> [SYN] Seq=0 Len=0 MSS=1260
>>      67 17.215060   SERVER         CLIENT       TCP      88 > 4815
>> [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
>>
>> on 61 there is that sudden RST,ACK.
>>
>> What might cause this?
>> By a long shot could it be a RST attack like the one described in
>> "Slipping the Window"?
>>
>> TIA
>> - ed
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>>
> Is there a firewall between these. If so it will reset the connection
> every two hours if not used
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards