我有一个使用代理服务(WAF 等)的服务器,它将数据包转发到我的服务器。
我可以从所有代理中看到已建立netstat -an的 SSL 连接,其余的则卡在 SYN_RECV 中:
tcp 0 0 192.168.102.11:443 185.93.230.20:64966 SYN_RECV
tcp 0 0 192.168.102.11:443 192.88.135.20:8306 SYN_RECV
tcp 0 0 192.168.102.11:443 66.248.202.20:10750 SYN_RECV
tcp 0 0 192.168.102.11:443 185.93.230.20:2213 SYN_RECV
tcp 0 0 192.168.102.11:443 66.248.202.20:7494 SYN_RECV
tcp 0 0 192.168.102.11:443 185.93.231.20:32752 ESTABLISHED
tcp 0 0 192.168.102.11:443 185.93.231.20:31910 ESTABLISHED
我可以看到流量tcpdump port 443 and '(tcp-syn|tcp-ack)!=0' -nn:
为了185.93.231.20.2139
20:36:35.263777 IP 192.168.102.11.443 > 185.93.231.20.2139: Flags [FP.], seq 203642186:203642217, ack 1968471817, win 258, options [nop,nop,TS val 32827456 ecr 876705214], length 31
20:36:36.901357 IP 192.168.102.11.443 > 185.93.231.20.2137: Flags [P.], seq 418165034:418165065, ack 2875697257, win 258, options [nop,nop,TS val 32829093 ecr 876704135], length 31
为了185.93.230.20
20:36:49.098560 IP 185.93.230.20.20721 > 192.168.102.11.443: Flags [S], seq 2855805773, win 29200, options [mss 1460,sackOK,TS val 882921029 ecr 0,nop,wscale 9], length 0
20:36:49.098638 IP 192.168.102.11.443 > 185.93.230.20.20721: Flags [S.], seq 268496949, ack 2855805774, win 28960, options [mss 1460,sackOK,TS val 32841290 ecr 882921029,nop,wscale 7], length 0
对于66.248.202.20:
20:37:02.042048 IP 66.248.202.20.49557 > 192.168.102.11.443: Flags [S], seq 3837436386, win 29200, options [mss 1460,sackOK,TS val 791596242 ecr 0,nop,wscale 9], length 0
20:37:02.042116 IP 192.168.102.11.443 > 66.248.202.20.49557: Flags [S.], seq 2339555392, ack 3837436387, win 28960, options [mss 1460,sackOK,TS val 32854234 ecr 791596242,nop,wscale 7], length 0
对于192.88.135.20:
20:36:39.595087 IP 185.93.228.20.23354 > 192.168.102.11.443: Flags [S], seq 1334433323, win 29200, options [mss 1460,sackOK,TS val 274977072 ecr 0,nop,wscale 9], length 0
20:36:39.595120 IP 192.168.102.11.443 > 185.93.228.20.23354: Flags [S.], seq 1203016390, ack 1334433324, win 28960, options [mss 1460,sackOK,TS val 32831787 ecr 274970056,nop,wscale 7], length
但只有来自185.93.231.20的流量才会登录到 domlogs:
185.93.231.20 - - [22/May/2020:19:55:37 +0400] "GET /blog/video-gallery/ HTTP/1.1" 200 12716 "https://www.example.com/blog/publications/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 747893
185.93.231.20 - - [22/May/2020:19:55:39 +0400] "GET /wp-content/uploads/2020/02/Thumbnail72.jpg HTTP/1.1" 200 181941 "https://www.example.com/blog/video-gallery/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 1283052
185.93.231.20 - - [22/May/2020:19:55:39 +0400] "GET /wp-content/uploads/2020/02/Thumbnail68.jpg HTTP/1.1" 200 180934 "https://www.example.com/blog/video-gallery/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 952373
关于下一步检查什么的任何想法?我已禁用所有防火墙规则并确保 NAT 在 WAN 和主机(入站和出站)之间正常工作 - 没有发生任何配置更改,这只是停止工作。
结果证明这是一个不对称的路由问题,因为数据包可以到达服务器但网络无法返回它们(由于路由故障)。
netstat部分连接卡住并SYN_RECV返回tcpdump其标志:[S]从远程服务器入站到我们SYN建立连接[S.]我们回复远程服务器以SYN+ACK建立连接请求SYN这是在服务器上通过来自远程服务器的以下请求识别的:这使套接字进入半开状态:
然后我们回应(注意标志的
S.含义SYN+ACK):但这永远不会到达远程服务器,因此它永远不会反过来响应进一步的数据包,这些数据包将完成握手并将套接字设置为
ESTABLISHED.这已由 ISP 和相关的对手方解决,以解决路由问题。
这也可能表明防火墙丢弃了数据包或配置错误的 NAT 规则,这些在联系 ISP 之前已被排除。