Firewalls: Re: WWW Port 80 connections 2-3 times/second...

Firewalls
(October 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: WWW Port 80 connections 2-3 times/second...
From:	"Roy.Hills" <rsh @ inmarsat . org>
Date:	Sat, 12 Oct 1996 17:52:27 +0100
To:	"Alex \"Achmed\" McCubbin" <alexm @ chancery . com>
Cc:	"'firewalls @ greatcircle . com'" <firewalls @ greatcircle . com>, rsh @ inmarsat . org
In-reply-to:	Your message of "Fri, 11 Oct 1996 10:51:01 PDT." <01BBB762 . 2083B0C0 @ dreadlock . chancery . com>

In message <01BBB762 .
 2083B0C0 @
 dreadlock .
 chancery .
 com>, "Alex \"Achmed\" McCubbi
n" writes:
>In my firewall logs, I have a machine (mac) on my internal private =
>network that has occasionally hit my non-existent web server port 80 on =
>the firewall 80-90 times per minute...  There is no reference to the =
>firewall in any config on that machine (that I can find) other than DNS. =
> I spoke with the user and he said that he used netscape during the day, =
>and he never tried to point to the firewall in a URL, even if he did, he =
>couldn't manually hit it 80-90 times a minute.  He said that his =
>netscape did crash at sometime around the same time the logs show, but =
>that's just  grasping at straws...  Anyone ever see this type of problem =
>in any of their logs?   This isn't the first time I've seen it, although =
>it is rare, and each time the person has been running netscape.

I've seen this sort of thing before.  The symptoms that I have observed
on several occasions are:

 1.  User has been using a web browser to view a web site and the connection
     has been ungracefully terminated (e.g. carrier lost or PC switched off).

 2.  The remote site that the user was viewing keeps trying to connect back
     to the user's PC address.  This can keep up for hours, maybe even days!

 3.  If the user connects back to the same site from the same PC, the
     connections stop and things return to normal.  If not, the incoming
     connections eventually stop after a very long time - I'm not sure
     if this is due to some timeout or if someone at the remote site
     resets the server.

It seems that the remote web server keeps trying to serve the page that the
client requested but it doesn't realise that the client has gone away and
just keeps trying.  Maybe the fact that HTTP is a connectionless and stateless
protocol has something to do with this - I guess that the server has no way
of knowing that the remote PC is no longer there, but TCP continutes to try
to get the data through.

I've never looked closely into this, but I guess that it should be fairly
easy to reproduce if it's common to all web servers.

--
Roy Hills                                     Email: Roy .
 Hills @
 inmarsat .
 org
Inmarsat                                      Tel:   +44 171 728 1033 (ddi)
99 City Road, London EC1Y 1AX, UK             Fax:   +44 171 728 1254

References:

WWW Port 80 connections 2-3 times/second...
From: "Alex \"Achmed\" McCubbin" <alexm @ chancery . com>

Indexed By Date	Previous:	RE: IP forwarding and bind() From: Nick Simicich <njs @ scifi . squawk . com>
Indexed By Date	Next:	Setup of preliminary network From: Rune Mossige <runemo @ powertech . no>
Indexed By Thread	Previous:	WWW Port 80 connections 2-3 times/second... From: "Alex \"Achmed\" McCubbin" <alexm @ chancery . com>
Indexed By Thread	Next:	Re: WWW Port 80 connections 2-3 times/second... From: "bettez @ telecom . hydro . qc . ca" <bettez @ telecom . hydro . qc . ca>