o11c
5 days ago
(If the author is reading this: bad formatting for fin: and acknumdiff: )
Once again a discussion that covers RST injection attacks fails to consider the one case I actually saw in the wild ...
My observation involved long-lived (much longer than typical for HTTP) TCP connections with low-but-nonzero traffic (there was an application-layer heartbeat). For at least some US residential IPs (some with effectively static allocation) connected to a datacenter, they would reliably get RST injected (to the client only, not the server) after being connected long enough (usually a couple hours, but not any obvious pattern).
supriyo-biswas
5 days ago
In my very populous country, the largest ISP will inject resets if it's over IPv4 and idle for more than 10 seconds :)
These things are unfortunately rather common. This is also why I run SSH with a 5 second heartbeat duration, for example.
patrakov
5 days ago
Is the server on OVH? This is a known "feature" of their DoS protection that cannot be turned off.
accrual
5 days ago
Maybe a fun idea - run an application on both sides of a remote TCP connection that records but doesn't respond to TCP RST packets. Then see how many times you get "reset".
geocar
4 days ago
You can just drop RST packets.
iptables -I INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL RST -j DROPo11c
4 days ago
That looks like exactly what I did, but it was a pain trying to get random users to do run code as root.
thelastparadise
4 days ago
Why do I find this so funny...