o11c
10 months ago
(If the author is reading this: bad formatting for fin: and acknumdiff: )
Once again a discussion that covers RST injection attacks fails to consider the one case I actually saw in the wild ...
My observation involved long-lived (much longer than typical for HTTP) TCP connections with low-but-nonzero traffic (there was an application-layer heartbeat). For at least some US residential IPs (some with effectively static allocation) connected to a datacenter, they would reliably get RST injected (to the client only, not the server) after being connected long enough (usually a couple hours, but not any obvious pattern).
supriyo-biswas
10 months ago
In my very populous country, the largest ISP will inject resets if it's over IPv4 and idle for more than 10 seconds :)
These things are unfortunately rather common. This is also why I run SSH with a 5 second heartbeat duration, for example.
patrakov
10 months ago
Is the server on OVH? This is a known "feature" of their DoS protection that cannot be turned off.
accrual
10 months ago
Maybe a fun idea - run an application on both sides of a remote TCP connection that records but doesn't respond to TCP RST packets. Then see how many times you get "reset".
geocar
10 months ago
You can just drop RST packets.
iptables -I INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL RST -j DROPo11c
10 months ago
That looks like exactly what I did, but it was a pain trying to get random users to do run code as root.
thelastparadise
10 months ago
Why do I find this so funny...