dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
97
share rss forum feed


funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6

1 recommendation

reply to funchords

Tests and Results-RSTs are set in both directions

Regarding these Posts and similar:
»redhatcat.blogspot.com/2007/09/b···pfw.html
»redhatcat.blogspot.com/2007/09/b···les.html

Several have mentioned that it is possible to defeat the injected/forged RST packets by ignoring them at a firewall. I tested that theory earlier »Re: Comcast is using Sandvine to manage P2P Connections but the rumor persists. "Redhatcat" claims first-hand knowledge that a forged RST is not sent from the Comcast network.

»digg.com/linux_unix/Linux_iptabl···_Killing
quote:
Comcast does not kill non-Comcast connections. I only know from personal experience.

I believe they choose to not do this to avoid lawsuits from other ISPs, as that behavior could be seen as a DoS attack on their customers/networks. That's not to say what they are doing to their customers now is not a DoS attack, but they are less afraid of lawsuits from individuals than other ISPs most likely.
Unfortunately, he is incorrect.

The following are two Wireshark copies of the same TCP conversation -- one from a Comcast system that is seeding a BitTorrent file, one from a Non-Comcast system that is trying to download it. The connection is torn down by forged RST packets about 30 seconds after it starts:

LOG from 192.168.177.109
Wireshark Display Filter: (ip.addr eq 192.168.177.109 and ip.addr eq no.t-c.omc.ast) and (tcp.port eq 10941 and tcp.port eq 3828) and ((tcp.len > 0 and tcp.len < 256) or  tcp.flags.reset == 1)
 
No.     Time        Source                Destination           Protocol Info
   2615 270.433545  no.t-c.omc.ast        192.168.177.109       BitTorrent Handshake
   2616 270.441617  192.168.177.109       no.t-c.omc.ast        BitTorrent Handshake  Continuation data
   2617 270.821830  no.t-c.omc.ast        192.168.177.109       BitTorrent Continuation data
   2619 273.854944  192.168.177.109       no.t-c.omc.ast        BitTorrent Continuation data
   2621 275.031345  no.t-c.omc.ast        192.168.177.109       BitTorrent Continuation data
   2623 275.835629  192.168.177.109       no.t-c.omc.ast        BitTorrent Unchoke
   2624 276.217062  no.t-c.omc.ast        192.168.177.109       BitTorrent Request, Piece (Idx:0x1,Begin:0xc000,Len:0x4000)
   2647 279.154962  no.t-c.omc.ast        192.168.177.109       BitTorrent Not Interested  Have, Piece (Idx:0x1)
   2648 279.155083  192.168.177.109       no.t-c.omc.ast        BitTorrent Choke
   2650 280.981972  192.168.177.109       no.t-c.omc.ast        BitTorrent Have, Piece (Idx:0x2)
   2652 282.025653  no.t-c.omc.ast        192.168.177.109       BitTorrent Interested
   2654 282.834452  192.168.177.109       no.t-c.omc.ast        BitTorrent Unchoke
   2655 283.218291  no.t-c.omc.ast        192.168.177.109       BitTorrent Request, Piece (Idx:0x2,Begin:0x0,Len:0x4000)  Request, Piece (Idx:0x2,Begin:0x4000,Len:0x4000)
   2658 283.329341  192.168.177.109       no.t-c.omc.ast        TCP      [TCP segment of a reassembled PDU]
   2678 283.919542  192.168.177.109       no.t-c.omc.ast        TCP      [TCP segment of a reassembled PDU]
   2684 284.216967  no.t-c.omc.ast        192.168.177.109       BitTorrent Request, Piece (Idx:0x2,Begin:0x8000,Len:0x4000)
   2710 285.284180  no.t-c.omc.ast        192.168.177.109       BitTorrent Request, Piece (Idx:0x2,Begin:0xc000,Len:0x4000)
   2742 288.151657  no.t-c.omc.ast        192.168.177.109       BitTorrent Not Interested  Have, Piece (Idx:0x2)
   2743 288.151817  192.168.177.109       no.t-c.omc.ast        BitTorrent Choke
   2745 289.983878  192.168.177.109       no.t-c.omc.ast        BitTorrent Have, Piece (Idx:0x5)
   2747 291.022881  no.t-c.omc.ast        192.168.177.109       BitTorrent Interested
   2749 291.842268  192.168.177.109       no.t-c.omc.ast        BitTorrent Unchoke
   2750 292.232989  no.t-c.omc.ast        192.168.177.109       BitTorrent Request, Piece (Idx:0x5,Begin:0x0,Len:0x4000)  Request, Piece (Idx:0x5,Begin:0x4000,Len:0x4000)  Request, Piece (Idx:0x5,Begin:0x8000,Len:0x4000)
   2782 293.362854  no.t-c.omc.ast        192.168.177.109       BitTorrent Request, Piece (Idx:0x5,Begin:0xc000,Len:0x4000)
   2839 297.074532  192.168.177.109       no.t-c.omc.ast        TCP      [TCP segment of a reassembled PDU]
   2843 298.111256  no.t-c.omc.ast        192.168.177.109       BitTorrent Not Interested  Have, Piece (Idx:0x5)
   2844 298.111379  192.168.177.109       no.t-c.omc.ast        BitTorrent Choke
   2846 299.882328  192.168.177.109       no.t-c.omc.ast        BitTorrent Have, Piece (Idx:0x6)
   2848 301.036256  no.t-c.omc.ast        192.168.177.109       BitTorrent Interested
   2850 301.949703  192.168.177.109       no.t-c.omc.ast        BitTorrent Unchoke  Continuation data
   2851 302.331317  no.t-c.omc.ast        192.168.177.109       BitTorrent Request, Piece (Idx:0x6,Begin:0x0,Len:0x4000)  Request, Piece (Idx:0x6,Begin:0x4000,Len:0x4000)  Request, Piece (Idx:0x6,Begin:0x8000,Len:0x4000)
   2853 302.332386  192.168.177.109       no.t-c.omc.ast        TCP      [TCP segment of a reassembled PDU]
   2854 302.344482  no.t-c.omc.ast        192.168.177.109       TCP      3828 > 10941 [RST] Seq=406 Len=0
   2855 302.344668  no.t-c.omc.ast        192.168.177.109       TCP      3828 > 10941 [RST] Seq=12909 Len=0
   2856 302.351237  no.t-c.omc.ast        192.168.177.109       TCP      3828 > 10941 [RST] Seq=406 Len=0
   2857 302.351407  no.t-c.omc.ast        192.168.177.109       TCP      3828 > 10941 [RST] Seq=12909 Len=0
 
Note: Packet 2854 indicates receiving an RST from the Non-Comcast system.
 

LOG from no.t-c.omc.ast
Wireshark Display Filter: (ip.addr eq 24.20.3X.XXX and ip.addr eq no.t-c.omc.ast) and (tcp.port eq 10941 and tcp.port eq 3828) and ((tcp.len > 0 and tcp.len < 256) or  tcp.flags.reset == 1)
 
No.     Time        Source                Destination           Protocol Info
   2594 270.413086  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Handshake
   2595 270.820312  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Handshake  Continuation data
   2596 270.821289  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Continuation data
   2598 274.249023  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Continuation data
   2600 275.032226  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Continuation data
   2602 276.213867  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Unchoke
   2603 276.213867  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Request, Piece (Idx:0x1,Begin:0xc000,Len:0x4000)
   2626 279.146484  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Not Interested  Have, Piece (Idx:0x1)
   2627 279.541992  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Choke
   2629 281.361328  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Have, Piece (Idx:0x2)
   2631 282.023437  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Interested
   2633 283.212890  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Unchoke
   2634 283.212890  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Request, Piece (Idx:0x2,Begin:0x0,Len:0x4000)  Request, Piece (Idx:0x2,Begin:0x4000,Len:0x4000)
   2638 283.733398  24.20.3X.XXX          no.t-c.omc.ast        TCP      [TCP segment of a reassembled PDU]
   2655 284.208007  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Request, Piece (Idx:0x2,Begin:0x8000,Len:0x4000)
   2666 284.309570  24.20.3X.XXX          no.t-c.omc.ast        TCP      [TCP segment of a reassembled PDU]
   2676 285.265625  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Request, Piece (Idx:0x2,Begin:0xc000,Len:0x4000)
   2720 288.116211  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Not Interested  Have, Piece (Idx:0x2)
   2721 288.539062  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Choke
   2723 290.380859  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Have, Piece (Idx:0x5)
   2725 291.022461  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Interested
   2727 292.223632  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Unchoke
   2728 292.227539  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Request, Piece (Idx:0x5,Begin:0x0,Len:0x4000)  Request, Piece (Idx:0x5,Begin:0x4000,Len:0x4000)  Request, Piece (Idx:0x5,Begin:0x8000,Len:0x4000)
   2749 293.343750  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Request, Piece (Idx:0x5,Begin:0xc000,Len:0x4000)
   2816 297.459961  24.20.3X.XXX          no.t-c.omc.ast        TCP      [TCP segment of a reassembled PDU]
   2820 298.100586  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Not Interested  Have, Piece (Idx:0x5)
   2821 298.490234  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Choke
   2823 300.263671  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Have, Piece (Idx:0x6)
   2825 301.036132  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Interested
   2827 302.329101  24.20.3X.XXX          no.t-c.omc.ast        BitTorrent Unchoke  Continuation data
   2828 302.329101  no.t-c.omc.ast        24.20.3X.XXX          BitTorrent Request, Piece (Idx:0x6,Begin:0x0,Len:0x4000)  Request, Piece (Idx:0x6,Begin:0x4000,Len:0x4000)  Request, Piece (Idx:0x6,Begin:0x8000,Len:0x4000)
   2830 302.717773  24.20.3X.XXX          no.t-c.omc.ast        TCP      10941 > 3828 [RST] Seq=149186 Len=0
   2831 302.717773  24.20.3X.XXX          no.t-c.omc.ast        TCP      10941 > 3828 [RST] Seq=161689 Len=0
   2832 302.722656  24.20.3X.XXX          no.t-c.omc.ast        TCP      [TCP Retransmission] [TCP segment of a reassembled PDU]
   2833 302.722656  24.20.3X.XXX          no.t-c.omc.ast        TCP      10941 > 3828 [RST] Seq=149286 Len=0
   2834 302.722656  24.20.3X.XXX          no.t-c.omc.ast        TCP      10941 > 3828 [RST] Seq=161789 Len=0
 
Note: Packet 2830 indicates receiving an RST from the Comcast system.
 

Conclusion: The RST is sent to both the Comcast and Non-Comcast sides of the connection.

If only one side respects the RST flag, the connection will be left in a half-open state. To one side, the TCP connection will appear to be valid and open. To the other, the TCP connection will have been ended. A half-open TCP connection is useless for exchanging data.

Comcast users should not modify their firewalls to drop RST packets as it is not an effective defense against the injected RST packets.

--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report.