Great Circle Associates Firewalls
(October 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: WWW Port 80 connections 2-3 times/second...
From: "Roy.Hills" <rsh @ inmarsat . org>
Date: Fri, 18 Oct 1996 16:31:58 +0100
To: "Alex \"Achmed\" McCubbin" <alexm @ chancery . com>
Cc: "'firewalls @ greatcircle . com'" <firewalls @ greatcircle . com>, rsh @ inmarsat . org
In-reply-to: Your message of "Fri, 11 Oct 1996 10:51:01 PDT." <01BBB762 . 2083B0C0 @ dreadlock . chancery . com>

In message <01BBB762 .
 2083B0C0 @
 dreadlock .
 chancery .
 com>, "Alex \"Achmed\" McCubbi
n" writes:
>In my firewall logs, I have a machine (mac) on my internal private =
>network that has occasionally hit my non-existent web server port 80 on =
>the firewall 80-90 times per minute...  There is no reference to the =
>firewall in any config on that machine (that I can find) other than DNS. =
> I spoke with the user and he said that he used netscape during the day, =
>and he never tried to point to the firewall in a URL, even if he did, he =
>couldn't manually hit it 80-90 times a minute.  He said that his =
>netscape did crash at sometime around the same time the logs show, but =
>that's just  grasping at straws...  Anyone ever see this type of problem =
>in any of their logs?   This isn't the first time I've seen it, although =
>it is rare, and each time the person has been running netscape.

Looking a bit further into this, I think that TCP window probes may be the
cause of this problem, although they don't fully explain the high packet

When a TCP peer receives a window size of zero (indicating that the other end
of the connection cannot accept any more data), it will periodically send out
window probe packets to check to see if the window has opened.  The interval
between probes increases to 60 seconds and them remains at one packet every
60 seconds for ever - I don't think that there is any limit to how long this
will go on for.

If a system is running Netscape and crashes or is otherwise ungracefully
terminated when it is advertising a zero window, I would suspect that
an infinate stream of window probes from the web server would result.  I also
suspect that the zero window condition would be fairly common because HTTP
often involves intensive TCP transfers.

If the server employs TCP keepalives, then I guess that the keepalive mechanism
should detect the dead connection after about two hours.  Otherwise I think
that this will carry on until the server is taken down or some other action
is taken to tear down the TCP connection - I think that sending a TCP Reset
in response to one of these probes should tear down the connection and this
is what I would expect to happen when the client was re-started and started
to receive TCP window probes for a non-existant connection.

The only flaw in this argument is that TCP window probes should occur once
every 60 seconds once they have fully backed off and not more than once per
second as you are seeing.

Roy Hills                                     Email: Roy .
 Hills @
 inmarsat .
Inmarsat                                      Tel:   +44 171 728 1033 (ddi)
99 City Road, London EC1Y 1AX, UK             Fax:   +44 171 728 1254

Indexed By Date Previous: RE: Does DEC's products support VPN?
From: Dan Tshin <dtshin @ bulldog . ca>
Next: Re: Firewalls
From: Adam Shostack <adam @ homeport . org>
Indexed By Thread Previous: Re: WWW Port 80 connections 2-3 times/second...
From: "bettez @ telecom . hydro . qc . ca" <bettez @ telecom . hydro . qc . ca>
Next: Re: WWW Port 80 connections 2-3 times/second...
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>

Search Internet Search