I awoke this morning to face what looked like a partial DoS. On investigation, 2 client TCP connections from the same source to my webserver had been sending repeated ACKs for over 2 hours, and my webserver had been responding diligently with ACKs of its own. This doesn't look like a SYN/ACK flood - it's just a regular connection that seems to be in an "ACK loop".
The original client connections were logged in my apache logs, and the "profile" of the web visit looked normal, so I suspect this may have been an inadvertant DoS rather then a deliberate attack. To solve the problem, I blocked the source IP briefly which terminated the connections. Questions: 1. Is this common - have others observed this? (Note: I'm not interested in random ICMP/SYN/Whatever flood stories, just this specific scenario please.) 2. How does it happen, (malicious/misconfiguration)? 3. Is there a way to drop these connections automatically, (preferably within the stack itself, maybe after a configurable number of duplicate ACKs)? The stuff below is from tcpdump/apache logs. Thanks, Fitz. Notes: X is the remote machine. Y is my server, (FreeBSD 4.7-STABLE, built 2003/01/06) tcpdump showing 2 remote connections repeatedly sending "ack 1": 09:16:10.236812 X.64670 > Y.http: . ack 1 win 32589 09:16:10.236879 Y.http > X.64670: . ack 489 win 58400 (DF) 09:16:10.242978 X.64670 > Y.http: . ack 1 win 32589 09:16:10.243037 Y.http > X.64670: . ack 489 win 58400 (DF) 09:16:10.248883 X.64677 > Y.http: . ack 1 win 32767 09:16:10.248946 Y.http > X.64677: . ack 25 win 58400 (DF) 09:16:10.255044 X.64670 > Y.http: . ack 1 win 32589 09:16:10.255123 Y.http > X.64670: . ack 489 win 58400 (DF) 09:16:10.262925 X.64677 > Y.http: . ack 1 win 32767 09:16:10.262989 Y.http > X.64677: . ack 25 win 58400 (DF) 09:16:10.268842 X.64670 > Y.http: . ack 1 win 32589 09:16:10.268905 Y.http > X.64670: . ack 489 win 58400 (DF) 09:16:10.275241 X.64670 > Y.http: . ack 1 win 32589 09:16:10.275303 Y.http > X.64670: . ack 489 win 58400 (DF) Here are the original http requests, (2 hours earlier), from my apache logs: X - - [07:03:31] "GET /p1.html HTTP/1.0" 200 42249 "http://www.google.com/search?..."; "Mozilla/4.78 [en] (Win98; U)" X - - [07:03:31] "GET /i0.png HTTP/1.0" 200 1287 "http://Y/p1.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:03:31] "GET /clear.gif HTTP/1.0" 200 42 "http://Y/p1.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:03:31] "GET /clear.gif HTTP/1.0" 200 42 "http://Y/p1.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:06] "GET /p2.html HTTP/1.0" 200 4345 "http://Y/p1.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:07] "GET /i4.png HTTP/1.0" 200 8605 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:07] "GET /i1.png HTTP/1.0" 200 13468 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:07] "GET /i2.png HTTP/1.0" 200 14218 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:07] "GET /i3.png HTTP/1.0" 200 10152 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:08] "GET /i6.png HTTP/1.0" 200 14661 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:10] "GET /i8.png HTTP/1.0" 200 8874 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:11] "GET /i10.png HTTP/1.0" 200 7797 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:11] "GET /i12.png HTTP/1.0" 200 5743 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:11] "GET /i5.png HTTP/1.0" 200 13537 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:12] "GET /i9.png HTTP/1.0" 200 9051 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:13] "GET /i13.png HTTP/1.0" 200 11542 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:13] "GET /i11.png HTTP/1.0" 200 9050 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" X - - [07:05:14] "GET /i7.png HTTP/1.0" 200 11669 "http://Y/p2.html"; "Mozilla/4.78 [en] (Win98; U)" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
