Re: Best way to drop forged TCP packets with RST flag set from comcast traffic shaping devices with iptables

[Gary Douglas <dougary () gmail com>]

According to the link you sent, Comcast is not forging TCP packets.  
The researchers say it was their NAT devices causing the problem.

If Comcast is sending out RST packets, they are sending them out to  
both the source and destination. If you filter these out and your  
computer continues to try to transmit after the other end receives a  
RST. This will cause some network congestion. You would need to  
implement this on both sides of the TCP conversation.

Thank you
Gary Douglas



On Apr 7, 2008, at 9:58 PM, Chris Smith wrote:

> Hi all,
>
> I found this while reading Slashdot today, and decided to ask about  
> it.
>
> http://systems.cs.colorado.edu/mediawiki/index.php/Broadband_Network_Management
>
> I don’t really want to wait for the results of any FCC investigation  
> that may or may not find that Comcast is violating fair use policy,  
> network neutrality, etc.
>
> I would like to use IP tables to start blocking these forged TCP  
> packets as they hit the external interface of a Linux firewall.
>
> I’ve noticed a lot of different functionality that can be enabled or  
> modularized in the 2.6 kernel for netfilter.    I.E. Rate limiting,  
> Flag matching support, state match etc.
>
> What is the best way to configure the netfilter options in the  
> kernel config to identify and drop these invalid TCP RST packets?   
> What IPtables rules can be used to implement and filter these forged  
> packets?
>
> It seems that using the old method that I’m aware of, (Filtering  
> these packets because they are not part of an already related or  
> established connection) is no longer adequate.  This seems to be a  
> very transparent man in the middle centric approach that Comcast is  
> using.
>
> One method that they seem to be using which is particularly  
> interesting is that the TTL value set in the incoming forged TCP  
> packets, often has a specific static  value.  I.E. 30
>
> Another netfilter option that can be enabled is TTL match support.   
> Can this functionality be used to find these packets?  Could TTL  
> match support be used in combination with rate match support to  
> detect if more than X TCP packets with RST flag set and with a TTL  
> value of 30 arrived in a given time frame?  I.E. more than 1 every  
> five seconds, and if so drop them?  Would the packets have to be  
> queued in order for this to work?
> Would this be a reliable way to find and block forged packets?
>
> Please share your thoughts.  I’m just entertaining a few ideas here.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards