TCP reset attack
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)
|
TCP reset attack, also known as a forged TCP reset or spoofed TCP reset, is a way to terminate a
The Great Firewall of China, and Iranian Internet censors are known to use TCP reset attacks to interfere with and block connections as a major method to carry out Internet censorship.[1]
Background
The Internet is a system for individual computers to exchange electronic messages, or
TCP is commonly employed alongside IP (Internet Protocol) to establish a two-way virtual connection between two computers. As a connection-oriented protocol, TCP necessitates the establishment of a logical connection between two processes prior to the exchange of data. This is in contrast to UDP, which is a connection-less protocol within the IP suite. TCP/IP sockets facilitate communication between computers, such as between a workstation with a browser and a web server, through the exchange of a stream of data packets. The use of a TCP connection enables the transfer of large data items, which exceed the size limits of a single packet, including video clips, email attachments, or music files. Although certain web pages are sufficiently small to fit within a single packet, they are typically transmitted over TCP connections for enhanced reliability and error control.
TCP resets
In a stream of packets of a TCP connection, each packet contains a TCP header. Each of these headers contains a bit known as the "reset" (RST) flag.[3] In most packets, this bit is set to 0 and has no effect. However, if this bit is set to 1, it indicates to the receiving computer that the computer should immediately stop using the TCP connection; it should not send any more packets using the connection's identifying numbers, called ports, and discard any further packets it receives with headers indicating they belong to that connection. A TCP reset kills a TCP connection near instantly.
This tool serves a specific function within the realm of computer networking, particularly in managing TCP connections. A notable use case arises when a computer, referred to as 'Computer A,' experiences a system crash during an active TCP connection. Consequently, the corresponding computer on the other end of the connection, designated as 'Computer B,' remains unaware of the crash and continues to transmit TCP packets. Upon rebooting, Computer A receives these residual packets from the disrupted connection. However, lacking the original context and unable to process them appropriately, Computer A typically issues a TCP reset signal to Computer B. This reset informs Computer B of the failure in the connection, prompting the user at Computer B to either attempt reestablishing the connection or take alternative actions as necessary.
Forging TCP resets
In the scenario above, the TCP reset bit was sent by a computer that was one of the connection endpoints. It is possible for a third computer to monitor the TCP packets on the connection and then send a "forged" packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a convincing forged value for the fake reset to trick the endpoint into closing the TCP connection. Properly formatted forged TCP resets can be a very effective way to disrupt any TCP connection that the forger can monitor.
Legitimate use
One application of a forged TCP reset is to maliciously disrupt TCP connections without the consent of the two parties that own the endpoints. However, network security systems using forged TCP resets have been designed as well. A prototype "Buster" software package was demonstrated in 1995 that would send forged resets to any TCP connection that used port numbers in a short list. Linux volunteers proposed doing something similar with Linux firewalls in 2000,[3] and open source software, such as Snort used TCP resets to disrupt suspicious connections as early as 2003.[4]
Comcast Controversy
By late 2007,
In January 2008, the
Prevention
By encrypting connections through the utilization of a VPN, the attacker has to do a TCP reset attack on all encrypted connections, causing collateral damage.[citation needed]
See also
- DNS hijacking
- TCP sequence prediction attack
- Network Neutrality
References
- Department of Computer Science and Technology.
- ^ Transmission Control Protocol (TCP). STD 7.
- ^ a b "May 2000 Linux discussion archives".
- ^ Berry, Josh (2004-02-28). "TCP Resets". snort-users (Mailing list).
- ^ Svensson, Peter (19 Oct 2007). "Comcast blocks some Internet traffic". NBC News.
- ^ NNSquad home page
- ^ "Commission Orders Comcast To End Discriminatory Network Management Practices" (PDF).