Imperva block analyze

 

1)客户端抓包信息 

三次握手

13:32:15.998245 180.168.xxx.xxx.3942 > 172.16.8.14.http: S 3786149313:3786149313(0) win 4380 <mss 1460,nop,wscale 0,sackOK,eol> (DF)

13:32:15.998678 172.16.8.14.http > 180.168.xxx.xxx.3942: S 2800298907:2800298907(0) ack 3786149314 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9> (DF)

13:32:15.998685 180.168.xxx.xxx.3942 > 172.16.8.14.http: . ack 1 win 4380 (DF)

 

客户端发送不符合规则的HTTP REQUEST

13:32:15.998691 180.168.xxx.xxx.3942 > 172.16.8.14.http: P 1:800(799) ack 1 win 4380 (DF)

 

被Imperva block后，imperva会代替服务器发送错误页面，并且带有FIN标志，要求关闭此连接

13:32:15.999654 172.16.8.14.http > 180.168.xxx.xxx.3942: FP 1:565(564) ack 800 win 5840 (DF)

客户端看到的信息：

 

客户端收到imperva发送的FIN包后，发送确认的ack包，确认接收到的FIN请求

13:32:15.999671 180.168.xxx.xxx.3942 > 172.16.8.14.http: . ack 566 win 4944 (DF)

 

服务器收到客户端的确认的ack包，服务器之前被发送RESET包，所以发生icmp回应，类型3,代码10，表示目标主机被强制禁止，

13:32:16.000386 172.16.8.14 > 180.168.xxx.xxx: icmp: host 172.16.8.14 unreachable - admin prohibited [tos 0xc0]

 

客户端TCP重传FIN包

13:32:16.018214 180.168.xxx.xxx.3942 > 172.16.8.14.http: F 800:800(0) ack 566 win 4944 (DF)

 

13:32:16.018941 172.16.8.14 > 180.168.xxx.xxx: icmp: host 172.16.8.14 unreachable - admin prohibited [tos 0xc0]

 

客户端TCP重传FIN包

13:32:17.217440 180.168.xxx.xxx.3942 > 172.16.8.14.http: F 800:800(0) ack 566 win 4944 (DF)

 

13:32:17.217690 172.16.8.14 > 180.168.xxx.xxx: icmp: host 172.16.8.14 unreachable - admin prohibited [tos 0xc0]

 

客户端TCP重传FIN包

13:32:19.417414 180.168.xxx.xxx.3942 > 172.16.8.14.http: F 800:800(0) ack 566 win 4944 (DF)

13:32:19.417660 172.16.8.14 > 180.168.xxx.xxx: icmp: host 172.16.8.14 unreachable - admin prohibited [tos 0xc0]

 

客户端TCP重传FIN包

13:32:23.617405 180.168.xxx.xxx.3942 > 172.16.8.14.http: F 800:800(0) ack 566 win 4944 (DF)

13:32:23.617652 172.16.8.14 > 180.168.xxx.xxx: icmp: host 172.16.8.14 unreachable - admin prohibited [tos 0xc0]

 

客户端TCP重传FIN包

13:32:31.817678 180.168.xxx.xxx.3942 > 172.16.8.14.http: F 800:800(0) ack 566 win 4944 (DF)

13:32:31.817930 172.16.8.14 > 180.168.xxx.xxx: icmp: host 172.16.8.14 unreachable - admin prohibited [tos 0xc0]

 

WINDOWS默认的客户端TCP重传次数为5次，发送RESET包，重置连接

13:32:40.078809 180.168.xxx.xxx.3942 > 172.16.8.14.http: R 801:801(0) ack 566 win 4944 (DF)

 

13:32:40.079231 172.16.8.14 > 180.168.xxx.xxx: icmp: host 172.16.8.14 unreachable - admin prohibited [tos 0xc0]

 

2)服务器抓包信息

三次握手

13:32:15.999401 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: S 3786149313:3786149313(0) win 4380 <mss 1460,nop,wscale 0,sackOK,eol>

13:32:15.999509 IP 172.16.8.14.http > 180.168.xxx.xxx.srdp: S 2800298907:2800298907(0) ack 3786149314 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9>

13:32:15.999842 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: . ack 1 win 4380

 

被Imperva block后，imperva会代替客户端向服务器发送reset包，重置此连接

13:32:16.000343 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: R 1:1(0) ack 1 win 4380

 

客户端收到imperva发送的FIN包后，发送确认的ack包，确认接收到的FIN请求

13:32:16.000990 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: . ack 566 win 4944

 

13:32:16.001011 IP 172.16.8.14 > 180.168.xxx.xxx: ICMP host 172.16.8.14 unreachable - admin prohibited, length 48

 

客户端TCP重传FIN包

13:32:16.019413 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: F 800:800(0) ack 566 win 4944

 

13:32:16.019424 IP 172.16.8.14 > 180.168.xxx.xxx: ICMP host 172.16.8.14 unreachable - admin prohibited, length 48

 

客户端TCP重传FIN包

13:32:17.218344 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: F 800:800(0) ack 566 win 4944

13:32:17.218365 IP 172.16.8.14 > 180.168.xxx.xxx: ICMP host 172.16.8.14 unreachable - admin prohibited, length 48

 

客户端TCP重传FIN包

13:32:19.418370 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: F 800:800(0) ack 566 win 4944

13:32:19.418396 IP 172.16.8.14 > 180.168.xxx.xxx: ICMP host 172.16.8.14 unreachable - admin prohibited, length 48

 

客户端TCP重传FIN包

13:32:23.618343 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: F 800:800(0) ack 566 win 4944

13:32:23.618363 IP 172.16.8.14 > 180.168.xxx.xxx: ICMP host 172.16.8.14 unreachable - admin prohibited, length 48

 

客户端TCP重传FIN包

13:32:31.818658 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: F 800:800(0) ack 566 win 4944

13:32:31.818685 IP 172.16.8.14 > 180.168.xxx.xxx: ICMP host 172.16.8.14 unreachable - admin prohibited, length 48

 

WINDOWS默认的客户端TCP重传次数为5次，发送RESET包，重置连接

13:32:40.079904 IP 180.168.xxx.xxx.srdp > 172.16.8.14.http: R 801:801(0) ack 566 win 4944

 

13:32:40.079930 IP 172.16.8.14 > 180.168.xxx.xxx: ICMP host 172.16.8.14 unreachable - admin prohibited, length 48