View previous topic :: View next topic |
Author |
Message |
ToeiRei Veteran
Joined: 03 Jan 2005 Posts: 1191 Location: Austria
|
Posted: Thu Oct 30, 2008 12:11 pm Post subject: Ignore foreign tcp reset packets? |
|
|
I have read about some tools which are trying to cut tcp connections by sending tcp reset packets to booth ends of the connection to provoke a shutdown of it. So I am playing around with the idea of examining the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from somewhere else and ignore it.
So the big question is: is this possible...?
Rei _________________ Please stand by - The mailer daemon is busy burning your messages in hell... |
|
Back to top |
|
|
gerdesj l33t
Joined: 29 Sep 2005 Posts: 621 Location: Yeovil, Somerset, UK
|
Posted: Sat Nov 01, 2008 10:31 pm Post subject: Re: Ignore foreign tcp reset packets? |
|
|
If something is able to do a man in the middle like this then it will have to be quite sophisticated.
Even if you could get your end to ignore "bad" RSTs, what about the other end?
The only people I can think of that could do this sort of thing routinely would be your ISP. In general the legality of this sort of thing is highly questionable.
Some hints as to what these tools are might be useful.
Cheers
Jon |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Sat Nov 01, 2008 10:59 pm Post subject: |
|
|
i would imagine he's talking about sandvine and other ISP QoS devices meant to kill the usage of bittorrent and other P2P networks. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
ToeiRei Veteran
Joined: 03 Jan 2005 Posts: 1191 Location: Austria
|
Posted: Sun Nov 02, 2008 3:42 pm Post subject: |
|
|
@bunder: you're partially right. I have found that tool:
* net-analyzer/cutter
Available versions: 1.03-r1
Homepage: http://www.lowth.com/cutter/
Description: TCP/IP Connection cutting on Linux Firewalls and Routers
and I just want to know if there's a clean way against such 'foreign connection termination' _________________ Please stand by - The mailer daemon is busy burning your messages in hell... |
|
Back to top |
|
|
manaka Apprentice
Joined: 23 Jul 2007 Posts: 178 Location: Spain
|
Posted: Mon Nov 03, 2008 9:30 pm Post subject: |
|
|
You should take into account that the number of hops changes dynamically on an Internet... So the TTL you see can change even if you are nor subject to RST attacks.
BTW, someone in the middle could easily forge the TTL of the injected packets... So they could circumvent this kind of TTL protection...
Other tools for the collection ... tcpkill and tcpnice from net-analyzer/dsniff. _________________ Javier Miqueleiz
"Listen to your heart. It knows all things, because it came from the Soul of the World, and it will one day return there." |
|
Back to top |
|
|
|