Firewall Wizards mailing list archives
Re: RST's and ACK's and stealth scans
From: Steve Bellovin <smb () research att com>
Date: Sat, 02 May 1998 18:52:15 -0400
Quick questions about TCP/IP traffic 1. What does it mean when I see a Reset accompanied with an ACK? That is... someone told me that if I see a packet that only has the RESET flag set, this means that the connection was terminated (Or not allowed to establish). But, they said, If I see a packet that contains a RESET with the ACK bit set then although the connection was refused, this is evidence that some service was at least listening enoguh to Acknowlege. 2. Can I assume that when My firewall sends RST that the packet reveals nothing more than the fact that the connection was refused,whether the ACK bit is set or not? 3. If RST was sent and window size is 0 (ACK or no ACK) I conclude that my firewall really does not want to talk... Is this a correct conclusion?
This is far too complicated a set of questions for a quick answer However -- RST without ACK means "connection refused", which generally means that there's nothing listening on that port. Once a connection is set up (that is, has transitioned to ESTABLISHED state), all packets will carry the ACK bit. They must also carry an acceptable sequence number. These provisions both apply to RST messages, too. In this case, though, a RST means that the other side has aborted the connection for some reason. The window size on an ACK packet is irrelevant. What flavor RST your firewall should send depends on the connection state; if it gets it wrong, the remote side probably won't listen. That's definitely the case for a bare RST on an established connection. For more details, see RFC 793 and/or a good text on TCP, such as Stevens' ``TCP/IP Illustrated, Volume I''.
Current thread:
- RST's and ACK's and stealth scans HSKarim (May 02)
- Re: RST's and ACK's and stealth scans darrenr (May 03)
- <Possible follow-ups>
- Re: RST's and ACK's and stealth scans Steve Bellovin (May 02)
- Re: RST's and ACK's and stealth scans Vern Paxson (May 02)
- Re: RST's and ACK's and stealth scans HSKarim (May 04)
- RE: RST's and ACK's and stealth scans Franz, Matt (May 09)
- Re: RST's and ACK's and stealth scans HSKarim (May 09)