websocket connections are reset/fin-ed on certain (malicious) 3rd party connections

[fwoeck]

Hi, we had lots of the connections described below originating from cn-domains the last days.

We use juggernaut2 which uses socket-io (0.7.7) for its connection management.
Since a couple of days connections on our hosts keep resetting
every other minute.

After some package capturing, I found that this connection loss is
always preceded by a connection from another host.

Please see this image for details:
https://img.skitch.com/20110706-j2mtndgphypuss2kq7dpy9rrnq.png

the packages until #64 are regular stuff during my websocket
connection. My IP is 79.253.18.81, the IP of the server interface is
10.228.214.111

at package #65 the host 212.92.202.48 (~dns1.metronet.hr) starts a
connection and on #68 asks me kindly to connect to 205.188.251.36:443
(imauth-p02a.blue.icq.net). If I understand it right, someone is
looking for an anonymous proxy.

in package #70 our server starts to fin the connection - which is
probably a good thing to do, but

in #74 my client connection get's a fin too, which leads to a
reconnect on my client side

If I connected more websocket clients at that time, all of them would
be reset.

I should mention that the socket-io-traffic uses SSL encryption.

For now, I just marked this foreign IP address in iptables, but this
is of course not a solution.

Thank you for any thoughts on this
--Frank

[fwoeck]

Small add: comparable connection cuts seem to happen also, if a regular connection gets FINed because of packet corruption/loss (e.g. in a UMTS, WiFi net).