From owner-freebsd-net Tue Mar 12 18:41:15 2002 Delivered-To: freebsd-net@freebsd.org Received: from paix.pilosoft.com (paix.pilosoft.com [216.66.12.246]) by hub.freebsd.org (Postfix) with ESMTP id 35FF137B400 for ; Tue, 12 Mar 2002 18:40:23 -0800 (PST) Received: from localhost (alex@localhost) by paix.pilosoft.com (8.11.6/8.11.6) with ESMTP id g2CLTLK12775; Tue, 12 Mar 2002 16:29:21 -0500 Date: Tue, 12 Mar 2002 16:29:21 -0500 (EST) From: alex@pilosoft.com To: Dmitry Koltsov Cc: freebsd-net@FreeBSD.ORG Subject: Re: Apache/TCP stack issues In-Reply-To: <20020313013953.C69396B340@mail2.hostonfly.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 13 Mar 2002, Dmitry Koltsov wrote: > I have some issues with TCP stack and/or Apache. Issue: I'm getting > "Connection refused" error when trying to connect to Apache over > Internet when packet loss is 1-2%. Not all connection attempts fail but > about 3% of attempts. When I'm trying to connect over local network(from > another machine and localhost) in the same time, all is ok. In order to > get this statistics, I've made 20000 attempts from each place in the > same time. Some thoughts for you: > 00:55:24.794637 195.252.103.127.4389 > 216.65.107.31.80: S 15459564:15459564(0) win 8192 (DF) > 00:55:24.794720 216.65.107.31.80 > 195.252.103.127.4389: S 2478638582:2478638582(0) ack 15459565 win 33232 (DF) > 00:55:26.521535 216.65.107.31.80 > 195.252.103.127.4389: R 1:1(0) ack 1 win 33232 (DF) A major note that the source port (4389) is the same for many queries. This is not normal. Local port should not be reused until X time has passed. (X being at least time for TCP connection to go from TIME_WAIT to closed). I'm not sure what FreeBSD's policy on outgoing port reuse is, but this is definitely a problem. Why is it a problem: Since the tuple that identifies the connection is (sourceIP, sourcePort, destIP, destPort), which would be same for many of your TCP connections, server will consider this to be a syn-spoofing attack. Here's the logic: First connection (everything is good, seq1 and seq2 are sequence numbers) client.4389->server.80 SYN (seq1) server.80 ->client.4389 SYN ACK (seq2) ...some time passes... server.80 ->client.4389 RST client.4389->server.80 RST Now, assume that the RST from client got lost, following exchange: client.4389->server.80 SYN (seq3) server.80 ->client.4389 SYN ACK (seq4) ...some time passes... server.80 ->client.4389 RST client.4389->server.80 RST (LOST!) Now, on the server, the connection is still in TIME_WAIT state. On client, connection is gone, and the client immediately reuses the local port. Now, next connection: client.4389->server.80 SYN (seq5) Now, server is thinking "WTF? the sequence number doesn't match up for an _existing_ connection", and sends you back an RST, which is exactly what you are seeing. So, a question: Are you doing anything funky to cause local port reuse? I don't know what freebsd does, and haven't looked at RFC whether there's a requirement NOT to reuse port until at least TCP_FIN_TIMEOUT (or whatever's freebsd equivalent sysctl is) time passes, but it appears that it would be the right thing to do. -alex > 00:55:27.813385 195.252.103.127.4389 > 216.65.107.31.80: S 15459564:15459564(0) win 8192 (DF) > 00:55:27.813485 216.65.107.31.80 > 195.252.103.127.4389: S 2939404798:2939404798(0) ack 15459565 win 33232 (DF) > 00:55:27.994115 195.252.103.127.4389 > 216.65.107.31.80: . ack 3834201081 win 8576 (DF) > 00:55:27.994156 216.65.107.31.80 > 195.252.103.127.4389: R 2478638583:2478638583(0) win 0 > 00:55:28.042403 195.252.103.127.4389 > 216.65.107.31.80: P 1:309(308) ack 3834201081 win 8576 (DF) > 00:55:28.042466 216.65.107.31.80 > 195.252.103.127.4389: R 2478638583:2478638583(0) win 0 > 00:55:28.217906 195.252.103.127.4389 > 216.65.107.31.80: R 15459565:15459565(0) win 0 > > > 00:55:26.893251 151.27.40.210.1560 > 216.65.107.31.80: S 37780527:37780527(0) win 8192 (DF) > 00:55:26.893329 216.65.107.31.80 > 151.27.40.210.1560: S 2578149080:2578149080(0) ack 37780528 win 33232 (DF) > 00:55:27.300599 216.65.107.31.80 > 151.27.40.210.1560: R 1:1(0) ack 1 win 33232(DF) > 00:55:27.316952 151.27.40.210.1560 > 216.65.107.31.80: . ack 1 win 8576 (DF) > 00:55:27.317038 216.65.107.31.80 > 151.27.40.210.1560: R 2578149081:2578149081(0) win 0 > 00:55:27.467521 151.27.40.210.1560 > 216.65.107.31.80: P 1:369(368) ack 1 win 8576 (DF) > 00:55:27.467567 216.65.107.31.80 > 151.27.40.210.1560: R 2578149081:2578149081(0) win 0 > > > 00:38:52.468064 194.85.102.167.46350 > 216.65.107.31.80: S 1156823521:1156823521 (0) win 16384 (DF) > 00:38:52.468137 216.65.107.31.80 > 194.85.102.167.46350: S 4104358926:4104358926 (0) ack 1156823522 win 33580 (DF) > 00:38:55.462633 216.65.107.31.80 > 194.85.102.167.46350: S 4104358926:4104358926 (0) ack 1156823522 win 33580 (DF) > 00:38:57.544738 216.65.107.31.80 > 194.85.102.167.46350: R 1:1(0) ack 1 win 33580 (DF) > > > Best regards, > Dmitry Koltsov > Host On Fly S.A. > tel: + 7 812 9404403 > tel: + 41 78 8286002 > fax: + 1 775 2426205 > ICQ: 44656213 > mailto:root@hostonfly.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message