In message <01BBB762 .
com>, "Alex \"Achmed\" McCubbi
>In my firewall logs, I have a machine (mac) on my internal private =
>network that has occasionally hit my non-existent web server port 80 on =
>the firewall 80-90 times per minute... There is no reference to the =
>firewall in any config on that machine (that I can find) other than DNS. =
> I spoke with the user and he said that he used netscape during the day, =
>and he never tried to point to the firewall in a URL, even if he did, he =
>couldn't manually hit it 80-90 times a minute. He said that his =
>netscape did crash at sometime around the same time the logs show, but =
>that's just grasping at straws... Anyone ever see this type of problem =
>in any of their logs? This isn't the first time I've seen it, although =
>it is rare, and each time the person has been running netscape.
I've seen this sort of thing before. The symptoms that I have observed
on several occasions are:
1. User has been using a web browser to view a web site and the connection
has been ungracefully terminated (e.g. carrier lost or PC switched off).
2. The remote site that the user was viewing keeps trying to connect back
to the user's PC address. This can keep up for hours, maybe even days!
3. If the user connects back to the same site from the same PC, the
connections stop and things return to normal. If not, the incoming
connections eventually stop after a very long time - I'm not sure
if this is due to some timeout or if someone at the remote site
resets the server.
It seems that the remote web server keeps trying to serve the page that the
client requested but it doesn't realise that the client has gone away and
just keeps trying. Maybe the fact that HTTP is a connectionless and stateless
protocol has something to do with this - I guess that the server has no way
of knowing that the remote PC is no longer there, but TCP continutes to try
to get the data through.
I've never looked closely into this, but I guess that it should be fairly
easy to reproduce if it's common to all web servers.
Roy Hills Email: Roy .
Inmarsat Tel: +44 171 728 1033 (ddi)
99 City Road, London EC1Y 1AX, UK Fax: +44 171 728 1254