Vulnerability Development mailing list archives
Bug, probable DoS in http connection or just paranoia?
From: Omar Herrera <oherrera () prodigy net mx>
Date: Mon, 18 Dec 2000 00:30:12 -0600
I just noticed some strange behavior when accessing through my Linux box: http://www.newsnow.co.uk/cgi/NewsNow/NewsFeed.htm?Section=NewsLink&Theme=Encryption+%2F+Security (actually I reproduced it in another Linux box with another news section of www.newsnow.co.uk) This is a news site and most of their pages (sections) update every 5 minutes, now, I looked at my port connections via: 'netstat -an' and noticed that, after every 5 minutes (the time it takes the page to refresh) there appeared a bunch of connections with LAST_ACK state:
netstat -an | more
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 1 0 148.221.217.137:4232 194.205.233.230:80 CLOSE_WAIT tcp 1 0 148.221.217.137:4231 194.205.233.230:80 CLOSE_WAIT tcp 1 0 148.221.217.137:4229 194.205.233.230:80 CLOSE_WAIT tcp 1 0 148.221.217.137:4228 194.205.233.230:80 CLOSE_WAIT tcp 0 416 148.221.217.137:4225 194.205.233.230:80 LAST_ACK tcp 0 452 148.221.217.137:4207 194.205.233.230:80 LAST_ACK tcp 1 1 148.221.217.137:4202 194.205.233.230:80 LAST_ACK tcp 0 463 148.221.217.137:4200 194.205.233.230:80 LAST_ACK tcp 1 1 148.221.217.137:4199 194.205.233.230:80 LAST_ACK tcp 0 416 148.221.217.137:4198 194.205.233.230:80 LAST_ACK tcp 0 416 148.221.217.137:4194 194.205.233.230:80 LAST_ACK I traced the address (194.205.233.230) and it turns out that it is linked to www.newsnow.co.uk nslookup 194.205.233.230 Server: my.isp.server Address: xx.xx.xx.xx Name: www.newsnow.co.uk Address: 194.205.233.230 Aliases: 230.233.205.194.in-addr.arpa With each refresh, the number of this connections increased but, after about 20 minutes more or less (about 4 refreshes) the number of this connections seemed to be steady, 10 minutes after this number decreased but it was really slow; I suppose there is a time-out somewhere in the kernel that closed these after some idle time . (shutting down networks interfaces didn't kill any of them) I thought it could be my firewall (ipchains) configuration or IDS (snort), so I turned off both for a while but the LAST_ACK connections still grew in number with each refresh (so I assume none of my defenses was involved). I know that in HTTP you establish several connections for different resources of the page but I thought that all ended in a CLOSE_WAIT state until they were closed when you redirect your browser to another page. My question is: Could this method of creating idle LAST_ACK connections be used to perform some kind of DoS attack? (what if this page had a refresh of 10 seconds?). Maybe this is normal for some web pages out there in the internet but i'm worried that the time-out to kill these connections is too big. I also noticed that Snort reports a lot of 'ICMP Dest. Unreachable (Port unreachable)' messages while connected through my browser to this page. I don't know if this might be related but maybe the refresh combined with the configuration of the web server or a filtering device in front of it produces this thing. Anyone else can reproduce this? My box: Linux Mandrake 7.2 with kernel 2.2.18 also tested this successfully with some other boxes: Linux Mandrake 7.2 (kernel 2.2.17) and Linux Mandrake 7.0 (kernel 2.2.14). Thanks Omar Herrera
Current thread:
- Re: Bug, probable DoS in http connection or just paranoia? Mark Collins (Dec 18)
- <Possible follow-ups>
- Bug, probable DoS in http connection or just paranoia? Omar Herrera (Dec 19)