Ahh yes, serendipity. An issue was referred to me a few days ago - users were having difficulty connecting to a published application. It turns out that one of the servers serving this particular app was fine, but I couldn't initiate an ICA connection to the other. Telnetted to 1494, got the ICA ICA ICA. Fired up ethereal. Launced ICA session - 3wayHS successful, but bam! RST packet sent from the server to me immediately afterwards. ?!?!?! Rebooted the server, fine for a second, then almost immediately, couldn't get in again. Did a netstat -an - noticed that although there was no users logged in, there was a connection from an external IP to the server on 1494, stuck in SYN_SENT state. Rebooted again, and the connection again came in. Fired up ethereal again, this time sniffing that server's traffic. We were getting a SYN from the IP address, and sending out our SYN_ACK, but we were never getting the final ACK. The machine in question was constantly resending that initial SYN, over and over. The IP was one of ours - there was a bug in the remote site router firmware and the incoming ACL was not functioning properly, so they were never getting our SYN ACK. Once a blocked the remote site, the issue on our end went away, but here is my concern: From our perspective, all that happened was the ICA listener received a SYN and no final ACK. This is trivial to do intentionally, and yet constituted a very effective DoS which I have subsequently duplicated in lab. Has anyone else seen this, and is the only answer to start using something like CSG or use something which can detect and respond to this at the perimeter? Thanks, -- Henry Sieff Network Engineer OCA Ph: (504) 620-3420 Cell: (504) 931-4638 ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm