On 27 Dec 2013, at 07:39, Nyamul Hassan <nya...@gmail.com> wrote:

> Hi,
> 
> Recently, we had some DDoS type attacks on our servers, so in an
> attempt to secure our systems, we added some iptables rules, which
> seems to work quite well on most of our servers.
> 
> Even on systems dedicated to Squid, all seems to run well.  However,
> one rule in particular seems to catch up a lot of entries in Squid
> machines, which are almost non-existent on the other non-Squid
> machines:
> 
> -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j OUTRST -m comment
> --comment "OUTPUT: Catch RST pkt"
> -A OUTRST -j LOG --log-prefix "OUTRST: "
> -A OUTRST -j DROP -m comment --comment "OUTRST:  Drop outbound RST"
> 
> From what we have seen, this does not seem to have a detrimental
> affect on Squid Proxy.  But, out of academic interest, we would still
> like to learn more on why so many RST packets would be generated from
> the server itself.
> 
> Can anyone shed some light?

Hi Hassan,
  I guess that one of the reasons is that a proxy has way different traffic 
patterns than almost any other server: it talks to a lot of unreliably 
reachable servers, and as such it can have more often to reinitialise the TCP 
state of a connection. There may be other reasons, with slightly different 
motivations but the same pattern. For instance:
- squid tries to keep TCP connection alive
- firewall on the server side has too-short session timeout
- firewall on server side silently drops connection
- squid gives up on keep alive, closes TCP session
- firewall drops FIN because no session in its session table
- squid RST

This pattern occurs more often than you'd think

        Kinkie

Reply via email to