Interesting People mailing list archives
Comcast forging RSTs again (and now SYN/ACKs)?
From: David Farber <dave () farber net>
Date: Mon, 7 Apr 2008 10:50:02 -0700
________________________________________ From: Rehmi Post [rehmi () media mit edu] Sent: Monday, April 07, 2008 1:04 PM To: David Farber Subject: Comcast forging RSTs again (and now SYN/ACKs)? Dave, for IP if you wish. If the note below accurately reflects Comcast's next round of traffic shaping, let us hope they are also clever enough to protect their users against the many new denial-of-service and spoofing attacks this will surely enable. Rehmi from http://systems.cs.colorado.edu/mediawiki/index.php/Broadband_Network_Management Recently, it has been observed that Comcast is disrupting TCP connections using forged TCP reset (RST) packets [1]. These reset packets were originally targeted at TCP connections associated with the BitTorrent file-sharing protocol. However, Comcast has stated that they are transitioning to a more "protocol neutral" traffic shaping approach [2]. We have recently observed this shift in policy, and have collected network traffic traces to demonstrate the behavior of their traffic shaping. In particular, we are able (during peak usage times) to synthetically generate a relatively large number of TCP reset packets aimed at any new TCP connection regardless of the application- level protocol. Surprisingly, this traffic shaping even disrupts normal web browsing and e-mail applications. Specifically, we observe two different types of packet forgery and packets being discarded. ... The final trace is perhaps even more remarkable. A TCP SYN packet is sent to a non-routeable, reserved IP address (2.2.2.2) and a SYN, ACK packet is received in response. The only problem is that no host exists at 2.2.2.2! This again shows that the outgoing SYN packet is being dropped, and the "expected" response is being forged by Comcast. The IP TTL field for these forged TCP SYN, ACK packets is consistently set to 30. ... ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Comcast forging RSTs again (and now SYN/ACKs)? David Farber (Apr 07)