Description
All of a sudden your ssh sessions to a super important server you work
on are getting blown away, forcing you to login again several times an
hour. The network people say there's nothing wrong on their side!
Using tcpdump to view your session, you see the following output
(trimmed) from the client side of the connection. On the server side,
you see only up to the second to last packet. Do you notice anything
strange? What do you think might have caused this and why?
10:33:13.059502 server.22 > client.1284: P 2395903577:2395903653(76) ack 8368201 win 16080 (DF) [tos 0x10] (ttl 46, id 18387)
10:33:13.061540 client.1284 > server.22: P 8368201:8368245(44) ack 2395903653 win 8332 [tos 0x15] (ttl 128, id 62508)
10:33:13.202638 server.22 > client.1284: . 2395903653:2395903653(0) ack 8368245 win 16080 (DF) [tos 0x10] (ttl 46, id 18388)
10:33:19.846570 client.1284 > server.22: P 8368245:8368289(44) ack 2395903653 win 8332 [tos 0x15] (ttl 128, id 63020)
10:33:19.873279 server.22 > client.1284: R 2395903653:2395903697(44) ack 8368245 win 8332 [tos 0x15] (ttl 120, id 63020)
answer: the last packet is clearly forged, and not very well. It is
some network device which is flagging the second to last packet with a
reset and sending it back to you. Notice the packet id and ttl of the
two last packets sent by the server - it is the same packet as the one the client sent in the line above it. The ttl's of the "real" server are also completely different. (I actually have seen this.) BONUS: how many hops away from the client is this mysterious network device?