TCP Connections, Bluesocket, and Mac OS X

Hello,

I'm trying to help out my university troubleshoot it's problem
concerning OSX systems and Bluesocket wireless technology. We've been
having several users come in on Mac systems that have been quarentined
due to too many open network connections. Here's a quote on the
Bluesocket policy:

"Each time a user makes a new network request, they create a new
session that is being statefully monitored by the WG's firewall. If it
is an existing connection (i.e. a download from a site), then it passes
through the established connection. However, if they are scanning
different machines, ports or have not been replied to by the
destination host, a new session is set up.

Under normal circumstances, users have a relatively low number of
firewall sessions (less than 10). You can see how many sessions your
computer is using by typing netstat from the command prompt on a
windows machine. In unusual circumstances, a user could be running a
server with many clients trying to connect to it, or running a DoS
attack, in which case, they will utilize a very high number of firewall
sessions.

To limit a user to a finite number of firewall sessions, the
administrator can enter a maximum number here. The default is set to
255. If a user attempts to copen more than 255 concurrent firewall
sessions, the WG will disconnect other open sessions so that a single
user cannot overuse network resources."

Our Bluesocket is configured at the default value mentioned above.
However, a netstat command from OSX's Network Utility reports that an
average OSX machine connected (only wirelessly) has anywhere between
10,000-20,000 connections. Here's an example printout:

tcp:
136087 packets sent
18908 data packets (1756503 bytes)
22 data packets (5062 bytes) retransmitted
0 resends initiated by MTU discovery
55730 ack-only packets (17833 delayed)
0 URG only packets
0 window probe packets
42896 window update packets
18536 control packets
220755 packets received
40665 acks (for 1763175 bytes)
8537 duplicate acks
0 acks for unsent data
174667 packets (188244806 bytes) received in-sequence
981 completely duplicate packets (1084878 bytes)
1 old duplicate packet
6 packets with some dup. data (2736 bytes duped)
12800 out-of-order packets (16285090 bytes)
300 packets (423700 bytes) of data after window
4 window probes
69 window update packets
18 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
6624 connection requests
5315 connection accepts
7 bad connection attempts
0 listen queue overflows
! --> 11919 connections established (including accepts)
12267 connections closed (including 29 drops)
16 connections updated cached RTT on close
16 connections updated cached RTT variance on close
1 connection updated cached ssthresh on close
10 embryonic connections dropped
40660 segments updated rtt (of 40748 attempts)
154 retransmit timeouts
6 connections dropped by rexmit timeout
0 persist timeouts
0 connections dropped by persist timeout
3 keepalive timeouts
0 keepalive probes sent
1 connection dropped by keepalive
1613 correct ACK header predictions
152701 correct data packet header predictions

This number doesn't seem to be dependent on what programs/utilities are
currently using network resources, as closing programs like iTunes and
Safari don't affect any change (often, the number increases).

Now, by the Bluesocket policy, all OSX machines should be quarantined,
right? Tens of thousands of connections are way more than the default
maximum allowed (255) by the Bluesocket server, yet most OSX machines
operate fine on the network. Those that come in quarantined on
wireless don't have any abnormal programs or malfunctions that we can
detect (they're running the same programs by and large; Mail, Safari,
iTunes, etc.). We've contacted other universities that employ
Bluesocket about this problem and none of them seem to share our
experience.

Windows machines accessing wirelessly have connections within the
acceptable range (255 or less).

My question is this: for any familiar with Bluesocket, is this a
problem a question of configuration of the Bluesocket servers? Or is
it a function of the Mac's behaving differently on the Bluesocket
network, and special/additional configuration is required?

Also, is there any utility or program which I can use to monitor
*exactly* where these TCP connections are coming *from* and what they
are for? I've tried IPNetMonitorX, but it only seems to alert me to
the fact that these connections are open, and aren't much more
descriptive than that.

Any light you could shed on the issue would be very helpful! Thanks.

On 1 Mar 2006, in the Usenet newsgroup alt.internet.wireless, in article
<(E-Mail Removed) .com>,
(E-Mail Removed) wrote:

>I'm trying to help out my university troubleshoot it's problem
>concerning OSX systems and Bluesocket wireless technology. We've been
>having several users come in on Mac systems that have been quarentined
>due to too many open network connections.

"too many open network connections" determined exactly how?

>However, a netstat command from OSX's Network Utility reports that an
>average OSX machine connected (only wirelessly) has anywhere between
>10,000-20,000 connections. Here's an example printout:

That smells mightily wrong.

> 136087 packets sent

> 220755 packets received

That's historical, not current.

>! --> 11919 connections established (including accepts)
> 12267 connections closed (including 29 drops)

man netstat - in a normal *nix, '/bin/netstat -tuan' should tell what
is _currently_ in use.

>This number doesn't seem to be dependent on what programs/utilities are
>currently using network resources, as closing programs like iTunes and
>Safari don't affect any change (often, the number increases).

which sounds like a historic (cumulative) count, rather than a current
(now in use) count.

There isn't a sanctioned big-eight newsgroup for OSX, but you are posting
from googlegroups - why not search there for such a group. The server I'm
using (giganews) has several, or you could always look in
comp.unix.bsd.freebsd.misc.

Old guy

You can turn this feature off in Bluesocket (administrative web GUI -
General --> IDS). But really - do you want this number of connections
going thru your wireless network? Most PCs never exceed 20 active
sessions - unless you are running internet P2P apps or games.

The Bluesocket feature is designed to quarantine users who are infected
with a worm, since the behavior of a worm will open many sessions.
What are these OSX machines doing that involves so many concurrent
sessions?

>"too many open network connections" determined exactly how?

I'm not exactly sure, but probably just by concurrent open sessions.

>That's historical, not current.

I thought it might be, since it didn't decrease when programs accessing
the internet were quit. I fooled around with netstat some and I think
I got a more accurate (and reasonable count) for my particular machine:

blank:~ evan$ netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address
(state)
tcp4 0 0 blank.57036 mailsv02.colgate.imap
ESTABLISHED
tcp4 0 0 blank.56970 mailsv02.colgate.imap
ESTABLISHED
tcp4 0 0 blank.56965 mailsv02.colgate.imap
ESTABLISHED
tcp4 0 0 localhost.56958 localhost.ipp
CLOSE_WAIT
tcp4 0 0 localhost.56957 localhost.ipp
CLOSE_WAIT
tcp4 0 0 localhost.netinfo-loca localhost.976
ESTABLISHED
tcp4 0 0 localhost.976 localhost.netinfo-loca
ESTABLISHED

The rest were UDP connections that had no associated state and local
UNIX domain socket streams. However, even Mac's with these low open
connection counts are still getting quarentined because of the
aforementioned Bluesocket policy.

>You can turn this feature off in Bluesocket (administrative web GUI -
>General --> IDS). But really - do you want this number of connections
>going thru your wireless network?

We don't want to turn off this feature, precisely because of the reason
you mentioned next (about worms and all), and we really don't want this
many connections going through the network. However, we also don't
want OSX machines that apparently don't have a huge number of open
connections getting quarentined because Bluesocket thinks they have
that many open connections. Could it be that a particular legitimate
app, when launching, or performing some other task, opens up a large
number of connections at a particular point, which might cause the
Bluesocket to raise red flags? For instance, with web browsing - if I
were to browse several different sites at once through tabbed browsing,
or something similar? I'm just trying to figure out why Bluesocket
thinks that these Mac's are so busy on the network when they really
don't appear to be.

>There isn't a sanctioned big-eight newsgroup for OSX, but you are posting
>from googlegroups - why not search there for such a group.

I've looked in other newsgroups to no avail - since the issue seems to
be more on the end of Bluesocket rather than OSX, I thought it best to
post here.

On 7 Mar 2006, in the Usenet newsgroup alt.internet.wireless, in article
<(E-Mail Removed). com>, bubbaswan wrote:

>>"too many open network connections" determined exactly how?
>
>I'm not exactly sure, but probably just by concurrent open sessions.

Might be interesting for you to find out.

>I thought it might be, since it didn't decrease when programs accessing
>the internet were quit. I fooled around with netstat some and I think
>I got a more accurate (and reasonable count) for my particular machine:
>
>blank:~ evan$ netstat
>Active Internet connections
>Proto Recv-Q Send-Q Local Address Foreign Address
(state)
>tcp4 0 0 blank.57036 mailsv02.colgate.imap
ESTABLISHED
>tcp4 0 0 blank.56970 mailsv02.colgate.imap
ESTABLISHED
>tcp4 0 0 blank.56965 mailsv02.colgate.imap
ESTABLISHED

OK, for some reason, you have three sessions open reading mail on the
mail server. Not sure why, but not unreasonable

>tcp4 0 0 localhost.56958 localhost.ipp
CLOSE_WAIT
>tcp4 0 0 localhost.56957 localhost.ipp
CLOSE_WAIT
>tcp4 0 0 localhost.netinfo-loca localhost.976
ESTABLISHED
>tcp4 0 0 localhost.976 localhost.netinfo-loca
ESTABLISHED

And four sessions where you are talking to yourself. These shouldn't
count, because nothing is leaving your box.

>The rest were UDP connections that had no associated state

Yeah, but how many of them, and to/from what? UDP is commonly used for
DNS (".domain" or 53), and NFS. Where the rub lies is spammers who use
Microsoft "Messenger" service to spam the bejezus out of you - messages
from (usually spoofed) IP addresses to ports 1025-1030/udp, typically
350 to 1200 octets. At work, we port translate any _outbound_ UDP from
the range 1025-1050ish (normally DNS queries) out of that range, so
there will never be legitimate traffic to those ports inbound. Then,
our upstream is able to silently drop that trash. At home, (the last
time I turned on logging) I'm seeing an average of 1000 packets a day
per address. If you have a /16, that's a huge chunk of bandwidth.

>However, even Mac's with these low open connection counts are still
>getting quarentined because of the aforementioned Bluesocket policy.

I can't see a reason based on the TCP count - UDP might be another
factor, but without counts, who can say. Did I suggest trying a
packer sniffer? No I didn't. Try tcpdump, or ethereal or similar
and see if you can spot something else. Be sure to notice which interface
you are talking about - loopback doesn't count towards wireless traffic.

>>You can turn this feature off in Bluesocket

[That was a different poster]

>We don't want to turn off this feature, precisely because of the reason
>you mentioned next (about worms and all),

Feline O/S is not as vulnerable as windoze. Someone is acting clueless there.

>and we really don't want this many connections going through the network.

I can agree with that, but "show me the connections" - I'm not seeing any.

>However, we also don't want OSX machines that apparently don't have a huge
>number of open connections getting quarentined because Bluesocket thinks
>they have that many open connections.

Agreed

>Could it be that a particular legitimate app, when launching, or performing
>some other task, opens up a large number of connections at a particular
>point, which might cause the Bluesocket to raise red flags? For instance,
>with web browsing - if I were to browse several different sites at once
>through tabbed browsing, or something similar?

I wouldn't expect it to be any worse than a windoze box - less in fact if
Active-X or JavaCrap is active on the windoze box. However, the answer
might be to packet sniff and compare.

>I'm just trying to figure out why Bluesocket thinks that these Mac's are
>so busy on the network when they really don't appear to be.

Your 'netstat' output doesn't indicate a problem.

>I've looked in other newsgroups to no avail - since the issue seems to
>be more on the end of Bluesocket rather than OSX, I thought it best to
>post here.

The reason I was suggesting other groups is finding someone who knows the
switches on the OS X version of netstat. That command started out on BSDs
and V.3, but the various subsequent incarnations have added options enough
to drive you crazy - and few of them do exactly the same thing. Heck, there
is even a windoze version of the command.

Old guy