Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Best way to drop forged TCP packets with RST flag set from comcast traffic shaping devices with iptables

Re: Best way to drop forged TCP packets with RST flag set from comcast traffic shaping devices with iptables

From: Gary Douglas <dougary_at_gmail.com>
Date: Tue, 8 Apr 2008 10:10:51 -0500

According to the link you sent, Comcast is not forging TCP packets.
The researchers say it was their NAT devices causing the problem.

If Comcast is sending out RST packets, they are sending them out to
both the source and destination. If you filter these out and your
computer continues to try to transmit after the other end receives a
RST. This will cause some network congestion. You would need to
implement this on both sides of the TCP conversation.

Thank you
Gary Douglas

On Apr 7, 2008, at 9:58 PM, Chris Smith wrote:

> Hi all,
>
> I found this while reading Slashdot today, and decided to ask about
> it.
>
> http://systems.cs.colorado.edu/mediawiki/index.php/Broadband_Network_Management
>
> I don’t really want to wait for the results of any FCC investigation
> that may or may not find that Comcast is violating fair use policy,
> network neutrality, etc.
>
> I would like to use IP tables to start blocking these forged TCP
> packets as they hit the external interface of a Linux firewall.
>
> I’ve noticed a lot of different functionality that can be enabled or
> modularized in the 2.6 kernel for netfilter. I.E. Rate limiting,
> Flag matching support, state match etc.
>
> What is the best way to configure the netfilter options in the
> kernel config to identify and drop these invalid TCP RST packets?
> What IPtables rules can be used to implement and filter these forged
> packets?
>
> It seems that using the old method that I’m aware of, (Filtering
> these packets because they are not part of an already related or
> established connection) is no longer adequate. This seems to be a
> very transparent man in the middle centric approach that Comcast is
> using.
>
> One method that they seem to be using which is particularly
> interesting is that the TTL value set in the incoming forged TCP
> packets, often has a specific static value. I.E. 30
>
> Another netfilter option that can be enabled is TTL match support.
> Can this functionality be used to find these packets? Could TTL
> match support be used in combination with rate match support to
> detect if more than X TCP packets with RST flag set and with a TTL
> value of 30 arrived in a given time frame? I.E. more than 1 every
> five seconds, and if so drop them? Would the packets have to be
> queued in order for this to work?
> Would this be a reliable way to find and block forged packets?
>
> Please share your thoughts. I’m just entertaining a few ideas here.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 08 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]