[q] curious packets

Tue Apr 27 04:24:22 UTC 2004

Thanks for your response.
While I investigate the DNS traffic on serveral DNS servers, I found
"[1] repeated ServFail", "[2] repeated SYN-ACK" patterns so many.
Those clients may be unusual things with virus or wrong configuration.
"[1] repeated ServFail " pattern's durations are so long and I want to
know how to reduce "repeated ServFail".
Interval between ServFail is 2 minutes. What makes these intervals, bind
or TCP?

In case of [2], why servers can't see "RST"? OS of servers are linux 2.4.18.

Barry Margolin wrote:

>In article <c6kfmd$1o55$1 at sf1.isc.org>,
> Hyo-Jeong Shin <shinhj at hana.ne.kr> wrote:
>
>  
>
>>Hello all,
>>I captured some curious packets from our DNS servers with bind 8.2.7 on
>>linux.
>>Anybody knows why these packets are generated?
>>
>>[1] repeated ServFail =================================
>>    
>>
>
>The ServFail is because neither of the authoritative servers for 
>yourbusiness.com are responding.  The repetition is because the client 
>isn't acknowledging the packet (we can't tell why that is).  I'm not 
>sure why it went on for over 20 minutes, though; I'd expect the 
>retransmission limit to be much shorter than that.
>
>  
>
>>16:02:57.053606 client.43312 > server.53: S 1054099647:1054099647(0) win
>>16384 <mss 1460,nop,nop,sackOK> (DF)
>>16:02:57.053639 server.53 > client.43312: S 2979146159:2979146159(0) ack
>>1054099648 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>>16:02:57.086975 client.43312 > server.53: . ack 1 win 17520 (DF)
>>16:02:57.088947 client.43312 > server.53: P 1:37(36) ack 1 win 17520
>>7261+ MX? yourbusiness.com. (34) (DF)
>>16:02:57.088961 server.53 > client.43312: . ack 37 win 5840 (DF)
>>16:03:53.003632 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:03:56.002763 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:04:02.002729 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:04:14.002728 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:04:38.002728 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:05:26.002825 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:07:02.002781 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:09:02.002768 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:11:02.002764 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:13:02.002756 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:15:02.002740 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:17:02.002774 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:19:02.002742 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:21:02.002782 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:23:02.002750 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>16:25:02.002754 server.53 > client.43312: P 1:37(36) ack 37 win 5840
>>7261 ServFail 0/0/0 (34) (DF)
>>
>>[2] repeated SYN =========================================================
>>    
>>
>
>Not repeated SYN, repeated SYN-ACK.  Apparently the server didn't see 
>the RST.  I'm not sure why the client sent the RST in the first place, 
>since the SYN-ACK looks reasonable.
>
>  
>
>>12:58:44.276476 client.59163 > server.53: S 3109183:3109183(0) win 8192
>><mss 1452,nop,nop,sackO
>>K> (DF)
>>12:58:44.276510 server.53 > client.59163: S 3599383948:3599383948(0) ack
>>3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>>12:58:44.302861 client.59163 > server.53: R 3109184:3109184(0) win 0
>>12:58:48.407735 server.53 > client.59163: S 3599383948:3599383948(0) ack
>>3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>>12:58:55.778830 server.53 > client.59163: S 3599383948:3599383948(0) ack
>>3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>>12:59:07.931183 server.53 > client.59163: S 3599383948:3599383948(0) ack
>>3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>>12:59:33.431181 server.53 > client.59163: S 3599383948:3599383948(0) ack
>>3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>>13:00:21.442892 server.53 > client.59163: S 3599383948:3599383948(0) ack
>>3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>>    
>>
>
>I suspect some kind of communication problem between the client and 
>server, that's sensitive to particular packet contents.
>
>  
>

-- 
Hyo-jeong Shin
Internet Networking Team
KT Corporation, Technology Lab.
463-1 Jeonmin-dong, Yuseong-gu, Daejeon 305-811, KOREA
Office:042-870-8194(or 0502-393-2228) Fax:042-870-8339