Vulnerability Development mailing list archives
Re: Retransmissions while blocking TCP Stack's RST?
From: Bryan Burns <bburns () netscreen com>
Date: Wed, 30 Oct 2002 13:37:08 -0800
If you're using TCP, the sequence numbers in the ACKs are going to be totally wrong, and just won't work. For example:
> SYN (seq Sc) (from the replay) < SYN ACK (seq Ss, ack Sc) (from your stack) > SYN (seq Sc+1, ack Ss_old) (from the replay) < stack-dependant freak-outYou somehow have to either make your stack's sequence number be the same from the replay, or have your replay ACK the correct sequence number. A similar issue arises if the number of bytes your stack sends doesn't match the number of bytes from the replay.
-Bryan On Wednesday, October 30, 2002, at 12:30 PM, Jared Stanbrough wrote:
On Wed, 30 Oct 2002, Brad Arlt wrote:On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote:Hi, I am looking for an application for *NIX, that can replay captured packets, while dropping, the TCP Stacks responses. Let's assume I replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley replies with a RST since it was not aware a connection was to be opened. So I am looking for some low-level retransmission application for *nix such as Network monitor for NT. (I believe it does this.)http://tcpreplay.sourceforge.net/ TCP Replay resends a libpcap or snoop capture file. As far as I know it doesn't listen to a darn thing, so you are good to go.This doesn't address the issue of keeping the originating machine fromtrying to take part in the replayed TCP session. The question isn't how to replay the data, it's how to keep the originating host from screwing it upby tearing down the illigitimate connection.One easy way to do this would be to setup iptables to block outbound TCP packets that have the RST flag set (of course, this would mess up replayed data which contains RSTs..but I'm sure you can think of creative solutionsfor that :) --jaredYou can trim the capture file however you like using the tools that come with it, Snoop, or tcpdump.---------------------------------------------------------------------- -__o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) I should be biking right now. Computer Science
Current thread:
- Retransmissions while blocking TCP Stack's RST? Cynic (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Brad Arlt (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Jared Stanbrough (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Bryan Burns (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Dan Kaminsky (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Dan Hanson (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? MA (Oct 31)
- Re: Retransmissions while blocking TCP Stack's RST? Jared Stanbrough (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Filipe Almeida (Oct 30)
- <Possible follow-ups>
- RE: Retransmissions while blocking TCP Stack's RST? Cynic (Oct 31)
- Re: Retransmissions while blocking TCP Stack's RST? Cynic (Oct 31)
- Re: Retransmissions while blocking TCP Stack's RST? Brad Arlt (Oct 30)