TIME_WAIT Assassination in FreeBSD???

Wed Sep 7 13:55:17 UTC 2011

Hi All,

Thanks everyone for your input. As promised(although a bit late), I tested
this on FreeBSD to see how it would react. As I suspected it did encounter
the same problem. There is a few exceptions though.

1. The port randomization seems a bit less likely to choose the same port
twice on FreeBSD compared to AIX. This could simply be because the FreeBSD
system is not loaded/busy though. Remember the comment on algorithm 1. in
RFC6056 "is biased towards the first available port after a sequence of
unavailable port numbers." So on a system which has more network
connections the chance of re-using a recent port goes up. However my test
definitely takes longer to encounter the issue on FreeBSD.

2. I had to modify my test script on FreeBSD. FreeBSD's ftp client by
default tries to use passive ftp mode and then fails over to active if it
is unavailable. As such I had to add the additional command line switch 
'-A' to force the use of active mode.

3. When the problem is encountered FreeBSD is only delayed for 60 seconds,
AIX by default is delayed by 90 seconds.

4. When the port a port is re-used and the Windows ftp server(IIS) still
has the port in TIME_WAIT from a previous connection. FreeBSD ftp behaves
differently to AIX ftp(with fixes to prevent hang).
	tcpdump on AIX shows
	-----------------------------
	1. -> Request:		PORT ftp request gets sent.
	2. <- Response:		200 Port command successful received.
	3. -> Request: 		NLST ftp request gets sent.
	4. <- Response:		150 Opening ASCII mode data connection.
	5. -> ACK
	6. <- Response:		425 Can't open data connection.
	7 -> ACK
	8. Now I see packets 3(NLST) through to 7(ACK) repeat over & over
	until the ftp client gives up(90 seconds) and just moves on to the
	next operation in the script. If the windows system has the port
	become available(CLOSED instead of TIME_WAIT). Then it might be
	successful, but the default TIME_WAIT on windows is 120 seconds(I
	think) so more often it doesn't.

	tcpdump on FreeBSD shows
	-----------------------------
	1. -> Request:		PORT ftp request gets sent.
	2. <- Response:		200 Port command successful received.
	3. -> Request: 		NLST ftp request gets sent.
	4. <- Response:		150 Opening ASCII mode data connection.
	5. -> ACK
	6. <- Response:		425 Can't open data connection.
	7. -> ACK
	8. 60 Seconds of nothing!!!!
	9. -> Request:		XXX	(I don't know what this is. Looks
	like an FTP command, WireShark just shows them as three 'X'
	characters that have a square box around them? HEX - FF F4 FF ).
	10. -> Request:		XABOR (again a funny 'X' character inside a
	box. This time followed by 'ABOR' HEX - F2 41 42 4F 52).
	11. <- Response:	500 'XABOR' : command not understood.

This is output from the ftp command on FreeBSD when it encounters the issue
---------------------------------------------------------------------------
Connected to djs326b.
220 Microsoft FTP Service
---> USER ftpprd
331 Password required for ftpprd.
---> PASS XXXX
230 User ftpprd logged in.
---> SYST
215 Windows_NT
Remote system type is Windows_NT.
---> FEAT
211-FEAT
    SIZE
    MDTM
211 END
features[FEAT_FEAT] = 1
features[FEAT_MDTM] = 1
features[FEAT_MLST] = 0
features[FEAT_REST_STREAM] = 0
features[FEAT_SIZE] = 1
features[FEAT_TVFS] = 0
Connected and logged into djs326b.
No proxy connection.
Gate ftp: off, server (none), port ftpgate.
Passive mode: off; fallback to active mode: off.
Mode: stream; Type: ascii; Form: non-print; Structure: file.
Verbose: on; Bell: off; Prompting: off; Globbing: on.
Store unique: off; Receive unique: off.
Preserve modification times: on.
Case: off; CR stripping: on.
Ntrans: off.
Nmap: off.
Hash mark printing: off; Mark count: 1024; Progress bar: on.
Get transfer rate throttle: off; maximum: 0; increment 1024.
Put transfer rate throttle: off; maximum: 0; increment 1024.
Socket buffer sizes: send 32768, receive 65536.
Use of PORT cmds: on.
Use of EPSV/EPRT cmds for IPv4: on.
Command line editing: off.
Version: NetBSD-ftp 20050514
---> CWD acrinput/data
250 CWD command successful.
---> PWD
257 "/acrinput/data" is current directory.
got remotecwd as `/acrinput/data'
---> EPRT |1|10.10.0.100|56666|
'EPRT |1|10.10.0.100|56666|': command not understood
disabling epsv4 for this connection
---> PORT 10,10,0,100,221,90
---> NLST testingtrans.*
---> PORT 10,10,0,100,60,157
---> NLST testingtrans.*
ftp: poll timeout waiting before accept: Bad file descriptor
'òABOR': command not understood
---> PORT 10,10,0,100,50,50
---> NLST TESTINGTRANS.*
---> PORT 10,10,0,100,126,65
---> NLST TESTINGTRANS.*
---> QUIT
221

This is some the output from my test script. It simply runs an
'ftp -nidv -A djs326b < ftpscript.txt'
command in an endless loop. If a run of the script takes longer than 5
seconds I capture the log & tcpdump. As shown below loop 112 & 131 reused
port 58047(PORT 10,10,0,100,226,191)
---------------------------------------------------------------------------
FTP - RUN - 112
---> EPRT |1|10.10.0.100|58047|                               <
'EPRT |1|10.10.0.100|58047|': command not understood          <
---> PORT 10,10,0,100,226,191                                 <
---> PORT 10,10,0,100,194,40                                  <
---> PORT 10,10,0,100,61,191                                  <
---> PORT 10,10,0,100,60,206                                  <
FTP - END - 112 - 0
FTP - TME - 112 - 1

FTP - RUN - 131
---> EPRT |1|10.10.0.100|52690|                               <
'EPRT |1|10.10.0.100|52690|': command not understood          <
---> PORT 10,10,0,100,205,210                                 <
---> PORT 10,10,0,100,249,153                                 <
---> PORT 10,10,0,100,88,249                                  <
---> PORT 10,10,0,100,226,191                                 <
ftp: poll timeout waiting before accept: Bad file descriptor  <
'òABOR': command not understood                               <
FTP - END - 131 - 0
FTP - TME - 131 - 61
Hang detected. Verify Log - 131_1315187050 !!!!

Regards Jarrod