Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

FreeBSD TCP keepalive/keepinit/keepidle behavior - TCP sysctl MIBs FIN_WAIT_1 state
https://forum.ivorde.com/freebsd-tcp-keepalive-keepinit-keepidle-behavior-tcp-sysctl-mibs-fin-wait-1-state-t3751.html
Page 1 of 1

Author:  debuser [ Sun Jun 10, 2012 3:33 pm ]
Post subject:  FreeBSD TCP keepalive/keepinit/keepidle behavior - TCP sysctl MIBs FIN_WAIT_1 state

FreeBSD TCP stack behavior for one connection under sockstress flood (zero window attack):
Code:
15:10:18.794551 IP 10.1.23.2.64980 > 10.1.22.3.80: S 246816765:246816765(0) win 59395 <eol> ---> SYN
15:10:18.796141 IP 10.1.22.3.80 > 10.1.23.2.64980: S 2890464131:2890464131(0) ack 246816766 win 65535 <mss 1460> ---> SYN+ACK
15:10:18.796167 IP 10.1.23.2.64980 > 10.1.22.3.80: . ack 1 win 0 <eol> ---> ACK (Zero window)
15:11:18.798688 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535 ---> FIN
15:11:18.798717 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:11:21.797927 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:11:27.996397 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:11:40.193448 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:12:04.387538 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:12:52.575838 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:13:56.560308 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:15:00.544710 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:16:04.529138 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:17:08.513608 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:18:12.498046 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:19:16.482546 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:20:18.651406 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535 ---> First TCP keepalive probe
15:20:20.466890 IP 10.1.22.3.80 > 10.1.23.2.64980: F 1:1(0) ack 1 win 65535
15:20:28.649147 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
15:20:38.646574 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
15:20:48.644116 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
15:20:58.641709 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
15:21:08.639247 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
15:21:18.636849 IP 10.1.22.3.80 > 10.1.23.2.64980: . ack 1 win 65535
15:21:24.451419 IP 10.1.22.3.80 > 10.1.23.2.64980: R 1:1(0) ack 1 win 65535



Using following tcp settings:
Code:
#define  TCPTV_KEEPCNT  8        /* max probes before drop */
net.inet.tcp.keepidle: 600000
net.inet.tcp.keepintvl: 10000
net.inet.tcp.keepinit: 30000
net.inet.tcp.always_keepalive: 1


Conclussion:
1. During the 10 minutes (net.inet.tcp.keepidle: 600000 miliseconds) of idle retransmission of FIN packet occurs every 3,6...,48 seconds.
2. After these 10 min, 7 tcp keepalive probes are sent, every 10 seconds (net.inet.tcp.keepintvl: 10000 milisec)
3. Finally, FreeBSD resets the connection.
4. Server sockets sits in "FIN_WAIT_1" (see tcp state diagram) state before being closed.

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/