I’ve been running several Storj nodes for the past few years, but a few days ago I started seeing firewall alerts related to TCP connections carrying data with only the SYN flag set.
Since this behavior is unexpected according to the TCP RFCs, I’m considering blocking this traffic. While investigating, I noticed a consistent pattern: all flagged connections originate from CDN77 IP ranges. Connections from other IPs do not exhibit this behavior.
Is this expected behavior for Storj traffic, or is it safe to block these connections?
That is likely traffic from storj hosted gateway and linksharing servers which have tcp fast open enabled. Maybe something on your end or the behavior of a middlebox has changed and fixed TFO. Have you made any os, firewall, router, or isp type changes recently?
Sorry, I’ve made quite a few changes recently, so I’m unable to pinpoint exactly what may have triggered this.
The most likely cause would be the firewall version upgrade. That said, these messages may have been present for some time, as they’re flagged as low risk and didn’t attract attention from the monitoring tools.
I mainly wanted to confirm whether this behavior is expected or something I should be concerned about.
Easiest would be to check if it actually works. Windows does not have tcpdump I think but pktmon shall still be there.
pktmon filter add -p 6
pktmon start --etw
.. wait a a bit…
pktmon stop
pktmon format pktmon.etl -o pktmon.txt
And look for syn packets with non-zero length payload, and syn-ack acknowledging that, ideally containing “tfo cookie” although I’m not sure this exact text would appear, maybe it will say “fastopen cookie” or something along those lines.