Detecting Forged TCP Reset Packets

نویسندگان

  • Nicholas Weaver
  • Robin Sommer
  • Vern Paxson
چکیده

Several off-the-shelf products enable network operators to enforce usage restrictions by actively terminating connections when deemed undesirable. While the spectrum of their application is large—from ISPs limiting the usage of P2P applications to the “Great Firewall of China”—many of these systems implement the same approach to disrupt the communication: they inject artificial TCP Reset (RST) packets into the network, causing the endpoints to shut down communication upon receipt. In this work, we study the characteristics of packets injected by such traffic control devices. We show that by exploiting the race-conditions that out-of-band devices inevitably face, we not only can detect the interference but often also fingerprint the specific device in use. We develop an efficient injection detector and demonstrate its effectiveness by identifying a range of disruptive activity seen in traces from four different sites, including termination of P2P connections, anti-spam and anti-virus mechanisms, and the finding that China’s “Great Firewall” has multiple components, sometimes apparently operating without coordination. We also find a number of sources of idiosyncratic connection termination that do not reflect third-party traffic disruption, including NATs, loadbalancers, and spam bots. In general, our findings highlight that (i) Internet traffic faces a wide range of control devices using injected RST packets, and (ii) to reliably detect RST injection while avoiding misidentification of other types of activity requires significant care.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Resilience of Deployed TCP to Blind Off-Path Attacks

As part of TCP’s steady evolution, recent standards have recommended mechanisms to protect against weaknesses in TCP. But adoption, configuration, and deployment of TCP improvements can be slow. In this work, we consider the resilience of deployed TCP implementations to blind in-window attacks, where an off-path adversary disrupts an established connection by sending a packet that the victim be...

متن کامل

Towards a Comprehensive Picture of the Great Firewall's DNS Censorship

China’s Great Firewall passively inspects network traffic and disrupts unwanted communication by injecting forged DNS replies or TCP resets. We attempted to comprehensively examine the structure of the DNS injector, using queries from both within and outside China. Using these probes, we were able to localize the DNS monitors’ locations, extract the firewall’s DNS blacklist of approximately 15,...

متن کامل

Reorder Detecting TCP (RD-TCP) with Explicit Packet Drop Notification (EPDN)

Numerous studies have shown that packet reordering is common, especially in networks where there is high degree of parallelism and different link speeds. Reordering of packets decreases the TCP performance of a network, mainly because it leads to overestimation of the congestion of the network. We consider wired networks and analyze the performance of such networks when reordering of packets oc...

متن کامل

Ignoring the Great Firewall of China

The so-called “Great Firewall of China” operates, in part, by inspecting TCP packets for keywords that are to be blocked. If the keyword is present, TCP reset packets (viz: with the RST flag set) are sent to both endpoints of the connection, which then close. However, because the original packets are passed through the firewall unscathed, if the endpoints completely ignore the firewall’s resets...

متن کامل

RD-TCP: Reorder Detecting TCP

Numerous studies have shown that packet reordering is common, especially in networks with a high degree of parallelism. Reordering of packets decreases the TCP performance of a network, mainly because it leads to overestimation of the congestion of the network. We consider wired networks with transmission that follows predominantly, but not necessarily exclusively, symmetric routing paths, and ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2009