4

I run a web server and log connections that are dropped. Occasionally, I get a burst of TCP RST packets from some of my clients, like this:

Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:29 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0
Feb 11 11:56:30 SRC=1.2.3.4 TTL=57 SPT=38383 DPT=80 WINDOW=0 RST URGP=0

Is this a RST flood attack, DDOS attack, TCP reset attack or some other phenomenon?

user68300
  • 41
  • 1

1 Answers1

2

There is a few things that could be going on. Its possible that this is related to ECN on firewalls which can cause this, but I can assure you this in probably not any type of flooding attack or DDOS.

One reason a device will send a RST is in response to receiving a packet for a closed socket.

It's hard to give a firm but general answer, because every possible perversion has been visited on TCP since its inception, and all sorts of people might be inserting RSTs in an attempt to block traffic.

But as I said before, this looks more like a firewall is throwing up requests. I wouldn't be to concerned. You could do a more verbose look into that SRC see who's doing what.

Cameron Does Things
  • 582
  • 3
  • 10