FreeBSD TCP keepalive/keepinit/keepidle behavior - TCP sysctl MIBs FIN_WAIT

FreeBSD TCP keepalive/keepinit/keepidle behavior - TCP sysctl MIBs FIN_WAIT_1 state

FreeBSD TCP stack behavior for one connection under sockstress flood (zero window attack):

Code:

10:18.794551 IP 10.1.23.2.64980 > 10.1.22.3.80: S 246816765:246816765(0) win 59395 <eol> ---> SYN
10:18.796141 IP 10.1.22.3.80 > 10.1.23.2.64980: S 2890464131:2890464131(0) ack 246816766 win 65535 <mss 1460> ---> SYN+ACK
10:18.796167 IP 10.1.23.2.64980 > 10.1.22.3.80: . ack 1 win 0 <eol> ---> ACK (Zero window)
11:18.798688 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535 ---> FIN
11:18.798717 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
11:21.797927 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
11:27.996397 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
11:40.193448 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
12:04.387538 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
12:52.575838 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
13:56.560308 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:00.544710 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
16:04.529138 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
17:08.513608 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
18:12.498046 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
19:16.482546 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
20:18.651406 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535 ---> First TCP keepalive probe
20:20.466890 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
20:28.649147 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
20:38.646574 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
20:48.644116 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
20:58.641709 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
21:08.639247 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
21:18.636849 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
21:24.451419 IP 10.1.22.3.80 > 10.1.23.2.64980: R 1:1(0) ack 1 win 65535

Using following tcp settings:

Code:

#define  TCPTV_KEEPCNT  8        /* max probes before drop */
net.inet.tcp.keepidle: 600000
net.inet.tcp.keepintvl: 10000
net.inet.tcp.keepinit: 30000
net.inet.tcp.always_keepalive: 1

Conclussion:
1. During the 10 minutes (net.inet.tcp.keepidle: 600000 miliseconds) of idle retransmission of FIN packet occurs every 3,6...,48 seconds.
2. After these 10 min, 7 tcp keepalive probes are sent, every 10 seconds (net.inet.tcp.keepintvl: 10000 milisec)
3. Finally, FreeBSD resets the connection.
4. Server sockets sits in "FIN_WAIT_1" (see tcp state diagram) state before being closed.

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Cisco / Juniper related articles

FreeBSD TCP keepalive/keepinit/keepidle behavior - TCP sysctl MIBs FIN_WAIT_1 state

FreeBSD TCP keepalive/keepinit/keepidle behavior - TCP sysctl MIBs FIN_WAIT_1 state