From owner-freebsd-security  Thu Jan 10  4:34:31 2002
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id F066C37B41A
	for <freebsd-security@freebsd.org>; Thu, 10 Jan 2002 04:34:23 -0800 (PST)
Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id F00961DAC; Thu, 10 Jan 2002 13:34:18 +0100 (CET)
Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1])
	by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g0ACY1p01899;
	Thu, 10 Jan 2002 13:34:01 +0100
Date: Thu, 10 Jan 2002 13:34:01 +0100
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To: freebsd-security@freebsd.org
Subject: Fw: Re: LAST_ACK traffic?
Message-Id: <20020110133401.0b440c90.kzaraska@student.uci.agh.edu.pl>
Organization: University Of Mining And Metallurgy
X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 7 Jan 2002 14:36:11 -0200 (BRST) Paulo Fragoso wrote:

> Hi,
> 
> In our network there are some workstation under a firewall, today we
ware
> looking our internal traffic, there was one workstation sending packets
> to one webserver at 200kbps:
> 
> roto Recv-Q Send-Q  Local Address          Foreign Address       
(state)
> tcp4       0      0  our.work.station.1412    200.226.137.10.80    
LAST_ACK
> 
> The user that workstation was using Opera 6.0 for linux (on FreeBSD
> 4.4-RELEASE). The strange traffic had started after the he closed the
> opera.
> 
> Are there any secure problem with this? Why our workstation was send
> packets of LAST_ACK whithout any processes bound at 1412 (checked with
> lsof)?

According to W.R.Stevens "TCP/IP Illustrated", fig.18.13 this is a closed
socket, still living in kernel after opera was closed and awaiting the
final ACK packet from the remote server to shut down. If this ACK does not
arrive I guess kernel should time out and shut it down anyhow. This socket
should not be able to transmit anything. 

BTW, netstat does not show you the network traffic, it only shows you what
state each socket is in (you may have an ESTABLISHED socket and no
transmission). If you want to see what is really going on the wire you
should use tool like tcpdump or ethereal. 

Regards,
Krzysztof


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message