RE: TCP RST

From: Curt Girardin (curt.girardin@chicos.com)
Date: Thu Oct 25 2007 - 11:28:08 ART

• Next message: Michael Locke: "IDS 4210"
• Previous message: Richard Dumoulin: "TCP RST"
• Maybe in reply to: Richard Dumoulin: "TCP RST"
• Next in thread: Alex: "Re: TCP RST"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've seen this kind of "anomoly" happen before when you have an IPS or
some other kind of promiscuous device (like websense on a server) that
"sees" the traffic somehow, and attempts to shut it down with the RST
packet. Very difficult to diagnose, as these types of devices are also
known for spoofing IP and mac addresses.

HTH,

Thanks,

Curt

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Richard Dumoulin
Sent: Thursday, October 25, 2007 10:15 AM
To: ccielab@groupstudy.com
Subject: TCP RST

Hi group,

Has anyone ever encountered a situation in which the TCP handshake ends
abnormally with the initiator sending an RST instead of an ACK like
below?

Oct 24 20:07:39: IP: s=172.18.36.1 (GigabitEthernet0/0), d=172.18.9.201
(Tunnel1), g=172.31.142.1, len 60, forward

Oct 24 20:07:39: TCP src=721, dst=515, seq=490685076, ack=23590400,
win=8192 SYN

Oct 24 20:07:39: IP: tableid=0, s=172.18.9.201 (Tunnel1), d=172.18.36.1
(GigabitEthernet0/0), routed via FIB

Oct 24 20:07:39: IP: s=172.18.9.201 (Tunnel1), d=172.18.36.1
(GigabitEthernet0/0), g=172.18.36.1, len 60, forward

Oct 24 20:07:39: TCP src=515, dst=721, seq=1989129666,
ack=490685077, win=2096 ACK SYN

Oct 24 20:07:39: IP: tableid=0, s=172.18.36.1 (GigabitEthernet0/0),
d=172.18.9.201 (GigabitEthernet0/1), routed via FIB

Oct 24 20:07:39: IP: s=172.18.36.1 (GigabitEthernet0/0), d=172.18.9.201
(Tunnel1), g=172.31.142.1, len 40, forward

Oct 24 20:07:39: TCP src=721, dst=515, seq=490685077, ack=0, win=0
RST

172.18.36.1 is an IBM host ES/9000 and 172.18.9.201 a printer.

Here TCP port 515 fails but any TCP session to any port initiated by
172.18.36.1 fails.

In the other way around it does not happen,

Thanks

-- Richard

**********************************************************************
Any opinions expressed in the email are those of the individual and not
necessarily the company. This email and any files transmitted with it
are
confidential and solely for the use of the intended recipient. If you
are not
the intended recipient or the person responsible for delivering it to
the
intended recipient, be advised that you have received this email in
error and
that any dissemination, distribution, copying or use is strictly
prohibited.

If you have received this email in error, or if you are concerned with
the
content of this email please e-mail to: e-security.support@vanco.info

The contents of an attachment to this e-mail may contain software
viruses
which could damage your own computer system. While the sender has taken
every
reasonable precaution to minimise this risk, we cannot accept liability
for
any damage which you sustain as a result of software viruses. You should
carry
out your own virus checks before opening any attachments to this e-mail.

Vanco UK Ltd Registered in England No: 2296733 Registered Office: John
Busch
House, 277 London Road, Isleworth, Middlesex TW7 5AX

Please consider the environment before printing this e-mail
**********************************************************************

• Next message: Michael Locke: "IDS 4210"
• Previous message: Richard Dumoulin: "TCP RST"
• Maybe in reply to: Richard Dumoulin: "TCP RST"
• Next in thread: Alex: "Re: TCP RST"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:18 ART