On 27 Dec 2013, at 07:39, Nyamul Hassan <nyamul_at_gmail.com> wrote:
> Hi,
>
> Recently, we had some DDoS type attacks on our servers, so in an
> attempt to secure our systems, we added some iptables rules, which
> seems to work quite well on most of our servers.
>
> Even on systems dedicated to Squid, all seems to run well. However,
> one rule in particular seems to catch up a lot of entries in Squid
> machines, which are almost non-existent on the other non-Squid
> machines:
>
> -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j OUTRST -m comment
> --comment "OUTPUT: Catch RST pkt"
> -A OUTRST -j LOG --log-prefix "OUTRST: "
> -A OUTRST -j DROP -m comment --comment "OUTRST: Drop outbound RST"
>
> From what we have seen, this does not seem to have a detrimental
> affect on Squid Proxy. But, out of academic interest, we would still
> like to learn more on why so many RST packets would be generated from
> the server itself.
>
> Can anyone shed some light?
Hi Hassan,
I guess that one of the reasons is that a proxy has way different traffic patterns than almost any other server: it talks to a lot of unreliably reachable servers, and as such it can have more often to reinitialise the TCP state of a connection. There may be other reasons, with slightly different motivations but the same pattern. For instance:
- squid tries to keep TCP connection alive
- firewall on the server side has too-short session timeout
- firewall on server side silently drops connection
- squid gives up on keep alive, closes TCP session
- firewall drops FIN because no session in its session table
- squid RST
This pattern occurs more often than you'd think
Kinkie
Received on Fri Dec 27 2013 - 08:12:57 MST
This archive was generated by hypermail 2.2.0 : Sat Dec 28 2013 - 12:00:06 MST