Skip to content

Instantly share code, notes, and snippets.

@jiacai2050
Last active July 27, 2020 04:48
Show Gist options
  • Save jiacai2050/d2e76da3d10de4f7f00a77f57ab636a1 to your computer and use it in GitHub Desktop.
Save jiacai2050/d2e76da3d10de4f7f00a77f57ab636a1 to your computer and use it in GitHub Desktop.

I write a buggy server to leak socket fd, which listen on 5000, and as expected there were CLOSE-WAIT left when client is closed

$ ss -ntpa | grep 5000
LISTEN     0      50                       :::5000                    :::*      users:(("java",14586,92))
CLOSE-WAIT 79     0          ::ffff:127.0.0.1:5000      ::ffff:127.0.0.1:55804  users:(("java",14586,96))
CLOSE-WAIT 79     0          ::ffff:127.0.0.1:5000      ::ffff:127.0.0.1:59235  users:(("java",14586,93))
CLOSE-WAIT 5      0          ::ffff:127.0.0.1:5000      ::ffff:127.0.0.1:55803  users:(("java",14586,95))
CLOSE-WAIT 150    0          ::ffff:127.0.0.1:5000      ::ffff:127.0.0.1:59236  users:(("java",14586,94))

Then I try to reuse one of those badly-bebaved socket like this:

# to listen what on earth send 
$ sudo tcpdump -i any src port 55803 or dst port 55803 -SvvvA -w /tmp/test.pcap
# then
$ time nc -p 55803 localhost 5000

The result of nc command is nothing within 2min

$ time nc -p 59236 localhost 5000
nc: connect to localhost port 5000 (tcp) failed: Connection timed out
real    2m7.282s
user    0m0.000s
sys     0m0.001s

And I open test.pcap via wireshark, it shows TCP Retransmission happened 6 times and the server responsed nothing.

image

@jiacai2050
Copy link
Author

jiacai2050 commented Nov 10, 2018

iptables is completely off on my box.

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment