Team for Research in
Ubiquitous Secure Technology

Citation
Nicholas Weaver, Robin Sommer, Vern Paxson. "Detecting Forged TCP Reset Packets". Talk or presentation, 11, November, 2008.

Abstract
Several off-the-shelf products enable network operators to enforce usage restrictions by actively terminating connections when deemed undesirable. While the spectrum of their application is large—from ISPs limiting the usage of P2P applications to the "Great Firewall of China"—many of these systems implement the same approach to disrupt the communication: they inject artificial TCP Reset (RST) packets into the network, causing the endpoints to shut down communication upon receipt. In this work, we study the characteristics of packets injected by such traffic control devices. We show that by exploiting the race-conditions that out-of-band devices inevitably face, we not only can detect the interference but often also fingerprint the specific device in use. We develop an efficient injection detector and demonstrate its effectiveness by identifying a range of disruptive activity seen in traces from four different sites, including termination of P2P connections, anti-spam and anti-virus mechanisms, and the finding that China's "Great Firewall" has multiple components, sometimes apparently operating without coordination. We also find a number of sources of idiosyncratic connection termination that do not reflect third-party traffic disruption, including NATs, load-balancers, and spam bots. In general, our findings highlight that (1) Internet traffic faces a wide range of control devices using injected RST packets, and (2) significant care is required to reliably detect RST injection while avoiding misidentification of other types of activity.

Electronic downloads

• 15%20-%20Weaver.ppt · application/vnd.ms-powerpoint · 518 kbytes

• HTML

  Nicholas Weaver, Robin Sommer, Vern Paxson. <a
  href="http://www.truststc.org/pubs/486.html"
  ><i>Detecting Forged TCP Reset
  Packets</i></a>, Talk or presentation,  11,
  November, 2008.

• Plain text

  Nicholas Weaver, Robin Sommer, Vern Paxson. "Detecting
  Forged TCP Reset Packets". Talk or presentation,  11,
  November, 2008.

• BibTeX

  @presentation{WeaverSommerPaxson08_DetectingForgedTCPResetPackets,
      author = {Nicholas Weaver and Robin Sommer and Vern Paxson},
      title = {Detecting Forged TCP Reset Packets},
      day = {11},
      month = {November},
      year = {2008},
      abstract = {Several off-the-shelf products enable network
                operators to enforce usage restrictions by
                actively terminating connections when deemed
                undesirable. While the spectrum of their
                application is large—from ISPs limiting the
                usage of P2P applications to the "Great Firewall
                of China"—many of these systems implement the
                same approach to disrupt the communication: they
                inject artificial TCP Reset (RST) packets into the
                network, causing the endpoints to shut down
                communication upon receipt. In this work, we study
                the characteristics of packets injected by such
                traffic control devices. We show that by
                exploiting the race-conditions that out-of-band
                devices inevitably face, we not only can detect
                the interference but often also fingerprint the
                specific device in use. We develop an efficient
                injection detector and demonstrate its
                effectiveness by identifying a range of disruptive
                activity seen in traces from four different sites,
                including termination of P2P connections,
                anti-spam and anti-virus mechanisms, and the
                finding that China's "Great Firewall" has multiple
                components, sometimes apparently operating without
                coordination. We also find a number of sources of
                idiosyncratic connection termination that do not
                reflect third-party traffic disruption, including
                NATs, load-balancers, and spam bots. In general,
                our findings highlight that (1) Internet traffic
                faces a wide range of control devices using
                injected RST packets, and (2) significant care is
                required to reliably detect RST injection while
                avoiding misidentification of other types of
                activity. },
      URL = {http://www.truststc.org/pubs/486.html}
  }
  

Posted by Jessica Gamble on 23 Jan 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.