RST causes
There are reasons general to send TCP RST packets in the following three kinds:
1, SYN segment specified destination port is not received in the waiting process.
2, TCP want to give up an existing connection.
3, TCP receives a data segment, the data segment identified in this connection does not exist.
In the first case, common example is a terminal access server is not open ports, the server replies RST packets. For example, access to the Web server port 21 (FTP), if the port is open or the server is not blocked to the port request message, the server is likely to give terminal SYN packets in response to a RST packet. Therefore, the terminal server SYN packet response RST packets in many cases can serve as a reliable basis for a port scanner to determine the destination port is not open. Of course, in most scenarios, the server does not listen to their messages reach the port will be discarded without response is a more secure implementation.
The second situation is better understood, the normal way to dismantle an existing TCP connection is sending FIN, FIN packets will be sent after all queued data is sent, there will be no data loss under normal circumstances, therefore, it is also It called orderly release. Another way of dismantling existing TCP connection RST is sent, the advantage of this method is that without waiting for the data transmission is completed, the connection can be immediately terminated, which is connected by way of removal RST is called abnormal release. Most of the time the server needs to provide different treatment for two different ways of dismantling the chain, there are many servers do not recognize the demolition chain RST way, this time on the need to be careful, because once that happens, especially in a large number of end-use RST way split chain, may cause the server-side connection can not be effectively released, affecting its normal business side processing capabilities.
The last case, by TCP 4-tuple (the IP source and destination, the source and destination port) uniquely identifies a connection, due to the presence of the TCP state machine, triggering the first TCP connection establishment message flag bit must be set SYN, Thus, when the server receives a new four-tuple (not the local server is connected) of the first non-SYN packet will discard the packet to the terminal in response to a RST packet. The last case, by TCP 4-tuple (the IP source and destination, the source and destination port) uniquely identifies a connection, due to the presence of the TCP state machine, triggering the first TCP connection establishment message flag bit must be set SYN, Thus, when the server receives a new four-tuple (not the local server is connected) of the first non-SYN packet will discard the packet to the terminal in response to a RST packet.
Symptom
Logins via terminals Web, enter your user name and password Web page displays the connection was reset. Ethereal packet as follows:
Terminal port 10.153.42.65 10.153.47.104 Access Server 8051, and after three-way handshake is established, the terminal sends an authentication request to the server, submit a user name and password, and then the server immediately respond RST dismantle existing connections.
problem analysis
By comparing the above three cases, we found that only 2 matches reasons, but the reason to see it as a merely 2 server at this location can indeed return RST packets, can not explain why the server you want to reply to RST.
This time we need to consider a question: This RST packet is not really a reply from a server? From the point of view seq RST packets get on and indeed may correspond to preamble packet (SYN flag since logically occupies 1 byte sequence number, the sequence number of the RST packet is the second packet sequence number plus 1). A good method of determining whether a streaming server with a TTL value is to compare the transmitted IP packet header in the same direction. Since TCP is very sensitive to out of order, by the network device forwards the data packet introduces a more serious disorder, so the network devices are generally made by transfer (by quintuple, the IP source and destination, the source and destination port, protocol) Therefore, in most cases, the captured data stream, in the same direction with a stream of packets always have the same TTL value, based on this judgment we look at the screenshot above the second and fifth a packet TTL value:
The second value of the TTL 251:
The fifth packet TTL 122:
因此,基本可以判断RST报文为中间传输设备发出。排查流量路径上的安全设备,在IPS中找到对应的日志:
由于用户名和密码都是admin且明文传输,因此触发了Web用户登录弱口令的防御规则,连接被重置,IPS冒充服务器向终端发送RST报文拆链,如果在IPS设备抓包,可以看到IPS也同时冒充终端发送了RST给服务器。
在很多环境中,中间安全设备通过RST拦截报文时初始TTL一般是64、128、255,这时候根据终端抓包的TTL就能反推出进行拦截的安全设备所处的位置。当然也有一些安全设备进行拦截的时候TTL初始值无迹可寻,这时候只能逐跳排查了。