[unisog] 10 minute web browsing and out....

Doug Nelson nelson at clunix.cl.msu.edu
Fri Feb 6 16:55:25 GMT 2004


> Gary Flynn wrote:
> 
> > 
> > I'm hearing reports of people whose web browsers
> > quit working after about 10 minutes. After that
> > time they get a "page cannot be displayed" error
> > wherever they go. Its reported that everything
> > else works when that happens...IM, email, etc.
> 
> ...
> 
> The folks that were having this problem tell me it
> went away after they took out the 3127-3198 TCP
> port blocks into their network. ;)

Ah, that make sense.  There is a danger in blocking all traffic to any
port number greater than 1023, in that you need to consider source ports
as well as destination ports.  The source port number for almost all TCP
and UDP traffic is based on a counter that starts at 1024 and works its
way up, wrapping back to 1024 if it gets too large.  So by blocking
3127-3198, you're assuring your users of difficulty after their system
generates about 2000 TCP and UDP sessions (or connections).  With web
browsing, that doesn't take all that long to reach, since each image,
frame, style sheet, etc., can potentially require a separate TCP
connection.

With the port range 3127-3198, a user would be blocked for approximately
70 consecutive attempts, but if he/she persisted, the sessions would begin
working again.


> We've been blocking *unestablished* sessions to 3127-3198
> for the whole campus since the day MyDoom came out without
> any reported problems and all unestablished sessions into
> the student networks have been blocked since the fall.

If you only block SYN packets with a destination of 3127-3198, that's
much less disruptive, since that will squarely target connections to
services on those ports, and not affect the use of those ports as source
ports.  There's still the potential for disrupting some unintended
traffic, since some protocols (e.g. FTP and RPC) will assign destination
port numbers dynamically.


Doug Nelson			nelson at msu.edu
Network Manager			Ph: (517) 353-2980
Computer Laboratory		http://www.msu.edu/~nelson/
Michigan State University



More information about the unisog mailing list