[THIN] ICA, SYN, No ACK, possible stupidity

• From: Henry Sieff <hsieff@xxxxxxxxxxxx>
• To: "Thin List (E-mail)" <thin@xxxxxxxxxxxxx>
• Date: Tue, 16 Nov 2004 10:24:35 -0600

Ahh yes, serendipity.

An issue was referred to me a few days ago - users were having difficulty
connecting to a published application. It turns out that one of the servers
serving this particular app was fine, but I couldn't initiate an ICA
connection to the other.

Telnetted to 1494, got the ICA ICA ICA.

Fired up ethereal. Launced ICA session - 3wayHS successful, but bam! RST
packet sent from the server to me immediately afterwards. ?!?!?!

Rebooted the server, fine for a second, then almost immediately, couldn't
get in again. 

Did a netstat -an - noticed that although there was no users logged in,
there was a connection from an external IP to the server on 1494, stuck in
SYN_SENT state. Rebooted again, and the connection again came in.

Fired up ethereal again, this time sniffing that server's traffic. We were
getting a SYN from the IP address, and sending out our SYN_ACK, but we were
never getting the final ACK. The machine in question was constantly
resending that initial SYN, over and over.

The IP was one of ours - there was a bug in the remote site router firmware
and the incoming ACL was not functioning properly, so they were never
getting our SYN ACK. Once a blocked the remote site, the issue on our end
went away, but here is my concern:

From our perspective, all that happened was the ICA listener received a SYN
and no final ACK. This is trivial to do intentionally, and yet constituted a
very effective DoS which I have subsequently duplicated in lab.

Has anyone else seen this, and is the only answer to start using something
like CSG or use something which can detect and respond to this at the
perimeter?

Thanks,

--
Henry Sieff
Network Engineer
OCA
Ph: (504) 620-3420
Cell: (504) 931-4638
********************************************************
This Weeks Sponsor Emergent Online ThinCity Conference
Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference
http://www.ThinCity.com
********************************************************** 
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts:

• » [THIN] ICA, SYN, No ACK, possible stupidity
• » [THIN] Re: ICA, SYN, No ACK, possible stupidity
• » [THIN] Re: ICA, SYN, No ACK, possible stupidity

1. Home
2. thin
3. Archive
4. 11-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---