Second TCP connection opened to port 443 from mobile Chrome and later closed without Client Hello
435 views
Skip to first unread message
James Hartig
May 17, 2017, 9:47:52 AM5/17/17
to net-dev
We're seeing >50k closed-without-use sockets opened to port 443 across all of our servers per hour. According to our tcpdump's, 2 TCP connections are opened back-to-back but only the first one is ever used. The second one is closed by the client ~10 seconds later without ever sending a Client Hello.
The service is written in Go and is using the default cipher suite and advertises HTTP/2. The service sits behind a Google LB in multiple GCE zones around the world. We've randomly sampled the UAs and majority are coming from Chrome+mobile (though this might just be relative to our traffic and Chrome's popularity). Chrome versions are all over the map and doesn't pinpoint to a particular version. There's been plenty of version 58 so seems like it might still be an issue. It could also be an Android issue, but we've seen iOS devices as well. The IPs are spread across multiple ISPs.
Here's what we're seeing (from Wireshark):
Connection 1: client port: 47108, server port: 443
17:28:03.835012 TCP 47108 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1360 SACK_PERM=1 WS=256
17:28:03.835038 TCP 443 → 47108 [SYN, ACK] Seq=0 Ack=1 Win=28160 Len=0 MSS=1420 SACK_PERM=1 WS=128
17:28:04.004216 TCP 47108 → 443 [ACK] Seq=1 Ack=1 Win=82944 Len=0
17:28:04.017079 TLSv1.2 Client Hello
... this continues normally ...
Connection 2:
17:28:04.002616 TCP 49694 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1360 SACK_PERM=1 WS=256
17:28:04.002636 TCP 443 → 49694 [SYN, ACK] Seq=0 Ack=1 Win=28160 Len=0 MSS=1420 SACK_PERM=1 WS=128
17:28:04.017127 TCP 443 → 47108 [ACK] Seq=1 Ack=204 Win=29312 Len=0
17:28:15.124506 TCP 49694 → 443 [FIN, ACK] Seq=1 Ack=1 Win=82944 Len=0
17:28:15.124639 TCP 443 → 49694 [FIN, ACK] Seq=1 Ack=2 Win=28160 Len=0
17:28:15.564961 TCP 49694 → 443 [ACK] Seq=2 Ack=2 Win=82944 Len=0
This is the case with all connections we've seen. Let me know if there's more information I can provide. We've been unable to replicate this using our own Android devices and Chrome, but we'll update the thread if we can. I'm not sure if this is particularly a Chrome issue, but I thought I'd share in case others have experienced this and since it is definitely happening from Chrome UAs more often than not.
Thanks!
Matt Menke
May 17, 2017, 10:12:45 AM5/17/17
to James Hartig, net-dev
I'm not sure about why the other sockets aren't seeing a client hello, but Chrome does preconnect two sockets during a main frame navigation. I believe about:settings->advanced->use a prediction service to load pages more quickly turns off the behavior. Maybe you have this setting disabled via policy?
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/6a384208-b944-4822-8e24-675355f09ee9%40chromium.org.
James Hartig
May 17, 2017, 10:31:50 AM5/17/17
to Matt Menke, net-dev
I should've provided more details about what our service does, sorry. We provide a JS client library to publishers that they put on their site and the client library makes AJAX calls back to our servers to report analytics data (think Google Analytics). In the normal case, Chrome shouldn't be doing any main frame navigations to our domains.
I have seen Chrome make multiple connections on navigation during testing but all of them are used, like you said.
--
You received this message because you are subscribed to a topic in the Google Groups "net-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/net-dev/IsYHz3hNlNU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to net-dev+unsubscribe@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAEK7mvoudWjDPmH2bavJ9N0tBG3G8c865FWafDSg65Wv62UcyQ%40mail.gmail.com.
Matt Menke
May 17, 2017, 11:17:11 AM5/17/17
to James Hartig, net-dev
The fact that you're seeing this on iOS and Android eliminates the possibility that this is a third party extension. The fact that you're seeing it on iOS seems particularly weird - Chrome on iOS is basically an entirely different beast than on other platforms, and Chrome doesn't even use our network stack there, for the most part.
Unfortunately, without being able to talk to anyone with a client that exhibits this behavior, I'm not sure how much headway we can make here, unless this behavior sounds familiar to anyone on this list.
I don't suppose you could point us to a site that exhibits this behavior, and tell us what domain you're seeing the extra connections to, so we could at least try reproducing locally?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAM6j61tNPa1OR-V_7YAjSJ0hkoLrymUjCsi_OfczXQxOAKShvw%40mail.gmail.com.
James Hartig
May 23, 2017, 9:55:22 PM5/23/17
to net-dev, faste...@gmail.com
I was hoping that someone on the list has seen this before but the lack of responses isn't leaving me optimistic.
Because we provide a JS client for sites to embed, there are a lot of sites that cause this error and it doesn't seem to be related to any particular site. But a site we own that has our JS on it is https://blog.getadmiral.com/ and the JS is loaded from owlsr.us and POST requests are made to that same domain as well. The issue seems to be related to the first connection open from the client which leads me to believe that it's caused by some preconnect or prefetch logic, but we don't instruct our customers to insert any link tags for these.
I can provide more information as I discover it. Thank you for taking the time and helping with this.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/6a384208-b944-4822-8e24-675355f09ee9%40chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "net-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/net-dev/IsYHz3hNlNU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAEK7mvoudWjDPmH2bavJ9N0tBG3G8c865FWafDSg65Wv62UcyQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
Reply all
Reply to author
Forward
0 new messages