Explaining Close_Wait

네트워크를 이용하는 악성코드를 분석하다 보면, 많은 Connection들을 보게 된다.

이중에서 Close_Wait라는 커넥션은 Server 와 Client 간에 통신 상태를 나타나는 상태인데, 

보통 Client 에서는 통신을 종료하였는데, Server 측에서 통신을 끊지 않은 상태를 뜻한다.

추측이지만, Close_Wait 상태가 지속되게 되면 Client의 뜻과는 무관하게 서버에서 강제로 악의적인 행위를 할 수 있지 않을까 생각된다.

Explaining Close_Wait에 대한 설명 블로그

http://blogs.technet.com/janelewis/archive/2010/03/09/explaining-close-wait.aspx

블로그에 의하면 Close_Wait의 시간주기를 다음 레지스트리를 통해 설정할 수 있다고 한다.

HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

• MaxUserPort

This entry makes more ports available. 

• TcpTimedWaitDelay

또한 Netstats를 이용한 Connection 상태들에 대해서도 표기해주었다.

- CLOSED 

Indicates that the server has received an ACK signal from the client and the connection is closed

- CLOSE_WAIT 

Indicates that the server has received the first FIN signal from the client and the connection is in the process of being closed So this essentially means that his is a state where socket is waiting for the application to execute close() A socket can be in CLOSE_WAIT state indefinitely until the application closes it. Faulty scenarios would be like filedescriptor leak, server not being execute close() on socket leading to pile up of close_wait sockets

- ESTABLISHED 

Indicates that the server received the SYN signal from the client and the session is established

- FIN_WAIT_1 

Indicates that the connection is still active but not currently being used

- FIN_WAIT_2 

Indicates that the client just received acknowledgment of the first FIN signal from the server

- LAST_ACK 

Indicates that the server is in the process of sending its own FIN signal

- LISTENING 

Indicates that the server is ready to accept a connection

- SYN_RECEIVED 

Indicates that the server just received a SYN signal from the client

- SYN_SEND 

Indicates that this particular connection is open and active

- TIME_WAIT 

Indicates that the client recognizes the connection as still active but not currently being used

So the explanation for a close_wait situation is as below;

CLOSE is an operation meaning "I have no more data to send." that is the client/server has chosen to treat CLOSE in a simplex fashion. The user who CLOSEs may continue to RECEIVE Until he is told that the other side has CLOSED also. Thus, a program/application could initiate several SENDs followed by a CLOSE, and then continue to RECEIVE until signalled that a RECEIVE failed because the other side has CLOSED. We assume that the TCP will signal a user, even if no RECEIVEs are outstanding, that the other side has closed, so the user can terminate his side gracefully. A TCP will reliably deliver all buffers SENT before the connection was CLOSED so a user who expects no data in return need only wait to hear the connection was CLOSED successfully to know that all his data was received at the destination TCP. Users must keep reading connections they close for sending until

the TCP says no more data.

Netsata에 대한 설명은 다음 사이트에서도 쉽게 확인 할 수 있다^^

http://support.microsoft.com/kb/137984