Bug, probable DoS in http connection or just paranoia?

[Omar Herrera <oherrera () prodigy net mx>]

I just noticed some strange behavior when accessing through my Linux
box:

http://www.newsnow.co.uk/cgi/NewsNow/NewsFeed.htm?Section=NewsLink&Theme=Encryption+%2F+Security

(actually I reproduced it in another Linux box with another news section
of www.newsnow.co.uk)

This is a news site and most of their pages (sections) update every 5
minutes, now, I looked at my port connections via: 'netstat -an'  and
noticed that, after every 5 minutes (the time it takes the page to
refresh) there appeared a bunch of connections with LAST_ACK state:

> netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address
State
tcp        1      0 148.221.217.137:4232    194.205.233.230:80
CLOSE_WAIT
tcp        1      0 148.221.217.137:4231    194.205.233.230:80
CLOSE_WAIT
tcp        1      0 148.221.217.137:4229    194.205.233.230:80
CLOSE_WAIT
tcp        1      0 148.221.217.137:4228    194.205.233.230:80
CLOSE_WAIT
tcp        0    416 148.221.217.137:4225    194.205.233.230:80
LAST_ACK
tcp        0    452 148.221.217.137:4207    194.205.233.230:80
LAST_ACK
tcp        1      1 148.221.217.137:4202    194.205.233.230:80
LAST_ACK
tcp        0    463 148.221.217.137:4200    194.205.233.230:80
LAST_ACK
tcp        1      1 148.221.217.137:4199    194.205.233.230:80
LAST_ACK
tcp        0    416 148.221.217.137:4198    194.205.233.230:80
LAST_ACK
tcp        0    416 148.221.217.137:4194    194.205.233.230:80
LAST_ACK

I traced the address (194.205.233.230) and it turns out that it is
linked to www.newsnow.co.uk

nslookup 194.205.233.230
Server:  my.isp.server
Address:  xx.xx.xx.xx

Name:    www.newsnow.co.uk
Address:  194.205.233.230
Aliases:  230.233.205.194.in-addr.arpa

With each refresh, the number of this connections increased but,  after
about 20 minutes more or less (about 4 refreshes) the number of this
connections seemed to be steady, 10 minutes after this number decreased
but it was really slow; I suppose there is a time-out somewhere in the
kernel that closed these after some idle time . (shutting down networks
interfaces didn't kill any of them)

I thought it could be my firewall (ipchains) configuration or IDS
(snort), so I turned off both for a while but the LAST_ACK connections
still grew in number with each refresh (so I assume none of my defenses
was involved).

I know that in HTTP you establish several connections for different
resources of the page but I thought that all ended in a CLOSE_WAIT state
until they were closed when you redirect your browser to another page.

My question is: Could this method of creating idle LAST_ACK connections
be used to perform some kind of DoS attack?  (what if this page had a
refresh of 10 seconds?). Maybe this is normal for some web pages out
there in the internet but i'm worried that the time-out to kill these
connections is too big.

I also noticed that Snort reports a lot of 'ICMP Dest. Unreachable (Port
unreachable)' messages while connected through my browser to this page.
I don't know if this might be related but maybe the refresh combined
with the configuration of the web server or a filtering device in front
of it produces this thing.

Anyone else can reproduce this?

My box: Linux Mandrake 7.2 with kernel 2.2.18
also tested this successfully with some other boxes:  Linux Mandrake 7.2
(kernel 2.2.17) and Linux Mandrake 7.0 (kernel 2.2.14).

Thanks

Omar Herrera