3

I've been fighting off a weird issue we've been having in our internal network: from time to time, multiple applications that we use simply freeze: SQL Management Studio, Red-Gate's Data Compare, Citrix GOTOMeeting and so forth.

I decided to get a trace of the network using Wireshark. I noticed just before things "froze", I found a MASSIVE number of RST packets being sent FROM our clients to the destinations, at the same time.

We're talking 37 RST packets at the same time (obviously milliseconds apart) to different destinations. Notice the RST packets are not being sent due to a failed 3-way handshake ... it is randomly being sent.

What could be the cause? What should I be trying to test? Thank you.

Itzik
  • 131
  • 2
  • More details, please. When you say clients, do you mean internal hosts or external hosts? Which host or hosts are the RST packets originating from? What are the destinations, are they internal hosts or external hosts? – joeqwerty Sep 21 '11 at 01:05
  • @joeqwerty, the RST packets always generate from internal hosts to external hosts, without a single exception. – Itzik Sep 21 '11 at 01:09
  • From multiple internal hosts? Multiple external hosts? What are these external hosts and what type of cobnnection is it; HTTP, RDP, etc.? What is common to the internal or external hosts when this happens? Where are you seeing the RST packets, on the inside or the outside of the firewall? – joeqwerty Sep 21 '11 at 01:22
  • I have a network trace for only one internal host; but the same behavior has been reported from different internal hosts also. The external hosts vary: google (http), sql server (tcp), there are so many .... I'm seeing the RST packets on the inside of the firewall, not the outside. I'm not sure regarding what's common between internal/external ... http://imageshack.us/photo/my-images/43/screenshot20110920at551.png/ – Itzik Sep 21 '11 at 01:35

1 Answers1

1

This is a response to a port scan. RST+ACK is a response to a SYN when the port is not being listened to. Your computers are generating this, for a wide variety of ports. Presumably, you're not listening on that wide variety of ports, so you respond to each connection attempt with a RST+ACK.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82