Date: Wed, 11 Dec 1996 17:45:49 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: hackers@freebsd.org Subject: TCP FIN/ACK storm oddity Message-ID: <Pine.BSF.3.95.961211173514.29879H-100000@alive.ampr.ab.ca>
next in thread | raw e-mail | index | archive | help
We ran into a situation with a FreeBSD-stable box and an Ascend MAX 4000 router that was somewhat odd. The MAX has a pretty little full screen display that is constantly updated with status information. I telnetted to the MAX from the freebsd box, and then suspended the telnet session and forgot about it, leaving it stopped in the background on the FreeBSD box. A few hours later, I remembered it and brought it back to the foreground. It started displaying a whole bunch of updates very quickly then, as expected, died because it had been suspended too long. After it died, I observed a flood of packets such as the following on the ethernet: 16:31:46.852314 futurity.worldgate.com.telnet > darkly.worldgate.com.1194: . ack 490176104 win 2048 16:31:46.852489 darkly.worldgate.com.1194 > futurity.worldgate.com.telnet: F 490 176104:490176104(0) ack 595604 win 17153 (DF) [tos 0x10] 16:31:46.853961 futurity.worldgate.com.telnet > darkly.worldgate.com.1194: . ack 490176104 win 2048 16:31:46.855045 darkly.worldgate.com.1194 > futurity.worldgate.com.telnet: F 490 176104:490176104(0) ack 595604 win 17153 (DF) [tos 0x10] 16:31:46.855161 futurity.worldgate.com.telnet > darkly.worldgate.com.1194: . ack 490176104 win 2048 16:31:46.855364 darkly.worldgate.com.1194 > futurity.worldgate.com.telnet: F 490 176104:490176104(0) ack 595604 win 17153 (DF) [tos 0x10] 16:31:46.856240 futurity.worldgate.com.telnet > darkly.worldgate.com.1194: . ack 490176104 win 2048 16:31:46.856503 darkly.worldgate.com.1194 > futurity.worldgate.com.telnet: F 490 176104:490176104(0) ack 595604 win 17153 (DF) [tos 0x10] futurity is the MAX, darkly is the FreeBSD box. A tcpdump -w stored a dozen megs of this in a couple of minutes. It looks like darkly is trying to close the connection to futurity, so it is sending a FIN. It then gets an ACK back from futurity, as it should. However, why does darkly send another FIN? Shouldn't it then shutup and let things close? Should futurity be ignoring any more FINs it gets after the first one? The other possibility is that the connection is already closed on darkly, and futurity is the one trying to send an ACK. However I don't see why darkly would send a FIN in response to an ACK for a connection it no longer knew anything about; it should send a RST from my reading of things. Unfortunately I don't know exactly what state the connection was in on the FreeBSD box while this was happening. After a few minutes of this, I put a packet filter in on the FreeBSD box to stop the packets and the storm died. Any ideas?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961211173514.29879H-100000>