a.bg.copy-all { display: none !important; }

Troubleshooting Network Connectivity: A TCP Reset Case Study

Troubleshooting Network Connectivity: A TCP Reset Case Study

A case study that demonstrates the importance of network traffic analysis and how it can help us solve connectivity issues. Please note that this case study is based on a simulated cybersecurity incident conducted as part of a training exercise.

The Scenario

A few weeks ago, several customers reported that they were unable to access a client company's website, they kept encountering a "connection refused" error after waiting for the page to load.

The Investigation

I attempted to visit the website and received the "connection refused" error. To troubleshoot the issue, I loaded the network analyzer tool and tried to load the page again.

During this process, my browser sent a TCP SYN packet to the web server to request the establishment of a TCP connection. Wireshark showed that the web server was responding with TCP RST packets, telling me that the connection was reset, along with the error message: "tcp port 80 reset."

The Analysis

After reviewing the network traffic logs, I found out that the protocols used for the network traffic were HTTP and TCP. But, the TCP packets sent to the web server were being reset. That's probably why the webpage wasn't loading.

Here's a simplified version of what I saw in the network traffic logs

1   0.000000  192.168.1.2  93.184.216.34  TCP  74  49152 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=945617733 TSecr=0 WS=128
2   0.011431  93.184.216.34  192.168.1.2  TCP  60  80 → 49152 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3   0.022862  192.168.1.2  93.184.216.34  TCP  74  49152 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=945617733 TSecr=0 WS=128
4   0.034293  93.184.216.34  192.168.1.2  TCP  60  80 → 49152 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Network Traffic Log Review

Lines 1 and 3 are the initial outgoing requests from the user’s computer (192.168.1.2) to the web server (93.184.216.34) on port 80, which is the standard port for HTTP traffic. These requests are sent in TCP packets with the SYN flag set, indicating an attempt to establish a TCP connection.

Lines 2 and 4 are the responses from the web server. Instead of the expected SYN-ACK packets to acknowledge the connection requests, the web server sends TCP packets with the RST (Reset) flag set, showing that the connection attempts have been refused.

Solution

I believe that there was a configuration issue on the server that is causing it to reset the TCP packets. I suggest checking the servers config settings and pay close attention to the ones that are related to TCP connections and firewall rules and making any changes if needed, and testing again. If the issue is persisted, I would recommend escalating the issue to the server’s hosing provider.

Tools used:

WireShark- used to capture and analyze network traffic while I was attempting to load the webpage. It showed that TCP packets sent to the web server were being reset which might have been the problem and was preventing the webpage from loading.

Lessons Learned

Better understanding of how http and tcp protocols work.
I learned about the TCP three way handshake process which is used to establish a TCP connection.
I also learned about the TCP reset flag which is used to terminate a TCP connection.
Tags:
Share: Email, ReBlog, Twitter, Facebook, Pinterest, Google+
Newer Post: Newer Post
Date:

Discussion

Designed by kwebprosolutions.net
Name

Blue Team cybersecuritylearningtool
false
ltr
item
KWebPro Cybersecurity Portfolio: Troubleshooting Network Connectivity: A TCP Reset Case Study
Troubleshooting Network Connectivity: A TCP Reset Case Study
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7Xgj6tGQCHcZ9NhS1z5u05ZLmoRev3dQ_l2XZ_vR02DCs7GrAUApdHrqRdaWW_cParbwS5Ff18p-ZO6_sPytNxrtW1qJy8ciJlIrRER5Qdqhv1Yy9o79Bk2KgBZ0txFRf0TEAnKWDAFP-iMWOAtTMoSQpPO8-8k-DzIqUV60Cw2156_gHWJnQUrTSktRo/w548-h202/err_connection_refused-211.png
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7Xgj6tGQCHcZ9NhS1z5u05ZLmoRev3dQ_l2XZ_vR02DCs7GrAUApdHrqRdaWW_cParbwS5Ff18p-ZO6_sPytNxrtW1qJy8ciJlIrRER5Qdqhv1Yy9o79Bk2KgBZ0txFRf0TEAnKWDAFP-iMWOAtTMoSQpPO8-8k-DzIqUV60Cw2156_gHWJnQUrTSktRo/s72-w548-c-h202/err_connection_refused-211.png
KWebPro Cybersecurity Portfolio
https://securecodeprojects.blogspot.com/2024/07/troubleshooting-network-connectivity.html
https://securecodeprojects.blogspot.com/
https://securecodeprojects.blogspot.com/
https://securecodeprojects.blogspot.com/2024/07/troubleshooting-network-connectivity.html
true
2048811380534981519
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network