0
After the discussion "Connection remains flagged as ESTABLISHED even if host is unconnected" I am back again to ask for further information.
Resume: I have a remote host (Windows client) which connects to my Linux embedded system (the server which I use to transmit or to receive data).
In this situation, once the client is connected it starts to retrieve data from server through TCP protocol. If the client disconnects, the connection on the server does not disappear. It remains as ESTABLISHED.
I did not programmed the applications used to retrieve and send packets between two hosts (however I could modify the source code from server side) but If I am not wrong it's not necessary.
After analyzing the network traffic with tcpdump I see that this issue is due to SYN/ACK sequence (at least is what I understand) from this sample output:
13:02:38.085996 IP 192.168.11.98.2101 > 192.168.11.50.58987: Flags [P.], seq 151644:151648, ack 1, win 473, length 4
13:02:38.283570 IP 192.168.11.98.2101 > 192.168.11.50.58987: Flags [P.], seq 151648:151916, ack 1, win 473, length 268
13:02:39.289412 IP 192.168.11.98.2101 > 192.168.11.50.58987: Flags [P.], seq 151916:151920, ack 1, win 473, length 4
13:02:39.489854 IP 192.168.11.98.2101 > 192.168.11.50.58987: Flags [P.], seq 151920:152226, ack 1, win 473, length 306
13:02:40.093989 IP 192.168.11.98.2101 > 192.168.11.50.58987: Flags [P.], seq 152226:152230, ack 1, win 473, length 4
But the client is not retrieving any data neither the server is sending it, it's just a SYN/ACK sequence. It continues for ever and the only way to stop this is changing server configuration (receiver mode) or unplugging the Ethernet adapter. This is not an acceptable solution.
If I am not wrong it be considered a SYNflood attack..
The question is: how can I avoid such a situation closing the connection from server side ?
Is it possible to do so from some configuration file or from firewall without limiting the incomoing connections (as suggested here) ?
simo-zz
Posted 2016-01-05T13:34:12.880
Reputation: 191
How does "he remote host turn off the connection"? Because there is quite some communication involved between the first host deciding it want to stop and the actual end of the connection. (E.g. see the diagram http://serverfault.com/questions/450055/lot-of-fin-wait2-close-wait-last-ack-and-time-wait-in-haproxy). Does the prog close cleanly? Do you see any of the FIN_WAIT messages?
– Hennes – 2016-01-05T13:38:25.417No, any FIN_WAIT packet. I also think that the client does not close the connection properly.. – simo-zz – 2016-01-05T13:43:27.023
If the clinet just leaves the connection hanging then it stays established (as it should!). And some keep alives are a good idea on an established idle connection. Basically, it works as it should *based on the behaviour of the client. If you have the source code of the client then maybe we could say more (or maybe we could though it might get migrated it it turns into a [SO] post.) – Hennes – 2016-01-05T13:46:43.213
OK I finally certified that the problem is into the source code of the applications. I will have to fix them. – simo-zz – 2016-01-05T13:59:14.213