Why do some machines respond with many RST packets instead of RST-ACK to refuse a connection?

Posted by Michael J. Gray on Server Fault See other posts from Server Fault or by Michael J. Gray
Published on 2012-11-04T14:53:59Z Indexed on 2012/11/04 17:04 UTC
Read the original article Hit count: 234

Filed under:

firewall

|

tcp

|

packet-capture

I have recently been trying to track down a problem with one of our systems and have noticed that it is simply not allowed to connect to a remote machine.

However, the remote machine (not controlled by us) is responding to our request for a connection with many TCP RST packets on a different port (26469, 26497, 26498) than the one we originated on (53).

It simply wouldn't let up at one point and flooded us with about 10 packets/second for an hour or two of only RST on those obscure high ports.

Out of the thousands of nodes we're connecting to, this is the only one ever to show this behavior. What could possibly cause this?

EDIT

Below is a screenshot of Wireshark when it happened. I don't have the actual dump anymore and can't reproduce this specific scenario every time. Basically, we sent a SYN and immediately got RST on an odd port and so we respond with RST and just keep going back and forth. RST Spam

© Server Fault or respective owner

Related posts about firewall

Managed hosting firewall vs managing own firewall

as seen on Server Fault - Search for 'Server Fault'
I posted on stackoverflow as to the overall benefits of managed hosting vs non-managed hosting. The more I think about it, it seems to boil down to one question: should I use a managed host because they take care of the firewall, or would I be okay managing my own, software firewall? The sites… >>> More
Hardware firewall vs VMWare firewall appliance

as seen on Server Fault - Search for 'Server Fault'
We have a debate in our office going on whether it's necessary to get a hardware firewall or set up a virtual one on our VMWare cluster. Our environment consists of 3 server nodes (16 cores w/ 64 GB RAM each) over 2x 1 GB switches w/ an iSCSI shared storage array. Assuming that we would be dedicating… >>> More
Firewall behind firewall

as seen on Server Fault - Search for 'Server Fault'
I've recently changed jobs and I've been set up with a new workstation. On all previous places where I've been working they've had some sort of local firewall installed on each and every workstation - but here I've been told not to activate it because it is not necessary since we're already behind… >>> More
We have no SW Firewall behind our office HW firewall, admin says its not req'd

as seen on Server Fault - Search for 'Server Fault'
I've recently changed jobs and I've been set up with a new workstation. On all previous places where I've been working they've had some sort of local firewall installed on each and every workstation - but here I've been told not to activate it because it is not necessary since we're already behind… >>> More
Can't get FTP to work on centOS 5.6

as seen on Server Fault - Search for 'Server Fault'
Hi guys I have been trying for a few hours to install and get FTP to work... I did yum install ftp and yum install vsftpd They all installed and are running but when I try to use filezilla or some other client I just can't connect....I've tried connecting on port 21 and port 990 ....nothing! These… >>> More

Related posts about tcp

TCP RST Reset Every 5 Minutes on Windows 2003 sp2

as seen on Server Fault - Search for 'Server Fault'
Hey, Recently I had a web developer come to me and ask why he was receiving connection errors in his app that was accessing a sql database. So, I went through my normal trouble shooting steps to isolate or reproduce the issue. I discovered that if I connected to the database using Query Analyzer… >>> More
iptables issue on plesk

as seen on Server Fault - Search for 'Server Fault'
i don't know how to open a specific port (rtmp=1935) on my CentOS server using Plesk or itables. I created new rules for port 1935 i/o using Plesk/Modules/Firewall but this doesn't work. Nmap scanning tells me this : 1935/tcp filtered rtmp . So i decided to have look at my iptable using SSH (iptables… >>> More
Httpd problem, suspect an attack but not sure

as seen on Server Fault - Search for 'Server Fault'
On one of my servers when I type netstat -n I get a huge output, something like 400 entries for httpd. The bandwidth on the server isn't high, so I'm confused as to what's causing it. I'm suspecting an attack, but not sure. Intermittently, the web server will stop responding. When this happens… >>> More
Why can blocked IPs get through my iptables? What's wrong with this configuration?

as seen on Server Fault - Search for 'Server Fault'
(Why can/How are) blocked IPs (get/getting) through my iptables? Hello and thanks for your consideration... I have configured iptables and included (below) output from the command "iptables --line-numbers -n -L" yet IP addresses (like 31.41.219.180) from IP blocks I have already blocked are getting… >>> More
iptables syn flood countermeasure

as seen on Server Fault - Search for 'Server Fault'
I'm trying to adjust my iptables firewall to increase the security of my server, and I found something a bit problematic here : I have to set INPUT policy to ACCEPT and, in addition, to have a rule saying iptables -I INPUT -i eth0 -j ACCEPT. Here comes my script (launched manually for tests) : #… >>> More