Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Comcast forging RSTs again (and now SYN/ACKs)?

From: David Farber <dave () farber net>
Date: Mon, 7 Apr 2008 10:50:02 -0700

________________________________________
From: Rehmi Post [rehmi () media mit edu]
Sent: Monday, April 07, 2008 1:04 PM
To: David Farber
Subject: Comcast forging RSTs again (and now SYN/ACKs)?

Dave, for IP if you wish.

If the note below accurately reflects Comcast's next round of traffic
shaping, let us hope they are also clever enough to protect their
users against the many new denial-of-service and spoofing attacks this
will surely enable.

Rehmi


from http://systems.cs.colorado.edu/mediawiki/index.php/Broadband_Network_Management

Recently, it has been observed that Comcast is disrupting TCP
connections using forged TCP reset (RST) packets [1]. These reset
packets were originally targeted at TCP connections associated with
the BitTorrent file-sharing protocol. However, Comcast has stated that
they are transitioning to a more "protocol neutral" traffic shaping
approach [2]. We have recently observed this shift in policy, and have
collected network traffic traces to demonstrate the behavior of their
traffic shaping. In particular, we are able (during peak usage times)
to synthetically generate a relatively large number of TCP reset
packets aimed at any new TCP connection regardless of the application-
level protocol. Surprisingly, this traffic shaping even disrupts
normal web browsing and e-mail applications. Specifically, we observe
two different types of packet forgery and packets being discarded.

...

The final trace is perhaps even more remarkable. A TCP SYN packet is
sent to a non-routeable, reserved IP address (2.2.2.2) and a SYN, ACK
packet is received in response. The only problem is that no host
exists at 2.2.2.2! This again shows that the outgoing SYN packet is
being dropped, and the "expected" response is being forged by Comcast.
The IP TTL field for these forged TCP SYN, ACK packets is consistently
set to 30.

...


-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: