No flow execution could be found with key 'e54s1'

Les LaCroix llacroix at carleton.edu
Wed Nov 28 10:34:44 EST 2018 

My idp-process.log is showing something odd.  Around the clock, about once
an hour or so, there are a spate of dozens of "No flow execution could be
found with key" errors in idp-process.log originating from the same IP
address.  The keys start out with low numbers after the "e" (e.g. e4s1,
maybe even e1s1 sometimes, not sure) but then rapidly increment by 1 and
get up into numbers I don't see anywhere else (e54s1 and higher).  In a
given day there will be several hundred of these from the same IP address,
each time starting over with low numbers.

In comparison, we see a couple dozen of these errors combined from all
other IP addresses.  The key numbers are always low, and no one address
accounts for more than a few errors.

My original thought was that the client was probing (maliciously) to see if
it could hijack an existing flow, so we blocked that IP address at the
border.  It turns out that the IP address is for a home system owned by one
of our CS professors.  The professor specializes in networking and current
interest is with self-healing networks for the home.  In other words, there
could be some unusual software in play, potentially unique to this
individual.

The term just ended last week and professors are turning in grades.  We
removed the IP block at the border because we know the block is
work-affecting and we don't know that the behavior actually malicious.

I do not have a good grasp of Spring web flows, so I don't know how likely
it is that something is happening so that the IdP is generating all these
flows in rapid succession (possibly a misconfiguration on our part); that
something on the client end is trying to hijack an existing flow; or
something else.

Thoughts?  If there's malware on the faculty member's computer, I want to
get that addressed.  Otherwise, I'll stop worrying about it for now, as I
have a project coming up that I expect will likely include an IdP
configuration review by Unicon.

Thanks, -Les

------------------------------
Les LaCroix '79 | Strategic Technologist
Carleton College | 1 N. College St. | MS 3-ITS | Northfield, MN 55057
507.222.5455 | free/busy
<https://calendar.google.com/calendar/embed?src=llacroix%40carleton.edu&ctz=America/Chicago>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181128/beb3610a/attachment.html>

More information about the users mailing list