TCP reset attack

Last updated

TCP reset attack, also known as a forged TCP reset or spoofed TCP reset, is a way to terminate a TCP connection by sending a forged TCP reset packet. This tampering technique can be used by a firewall or abused by a malicious attacker to interrupt Internet connections.

Contents

The Great Firewall of China, and Iranian Internet censors are known to use TCP reset attacks to interfere with and block connections as a major method to carry out Internet censorship. [1]

Background

The Internet is a system for individual computers to exchange electronic messages, or packets of data. This system includes hardware to carry the messages (such as copper and fiber optics cables) and a formalized system for formatting the messages, called "protocols". The basic protocol used on the Internet is the Internet Protocol (IP), which is usually coupled with additional protocols such as TCP (Transmission Control Protocol [2] ) or UDP (User Datagram Protocol). TCP/IP is the protocol set used for email and web browsing. Each protocol has a block of information, called a header, included near the front of each packet. Headers contain information about which computer sent the packet, which computer should receive it, the packet size, etc.

TCP is commonly employed alongside IP (Internet Protocol) to establish a two-way virtual connection between two computers. As a connection-oriented protocol, TCP necessitates the establishment of a logical connection between two processes prior to the exchange of data. This is in contrast to UDP, which is a connection-less protocol within the IP suite. TCP/IP sockets facilitate communication between computers, such as between a workstation with a browser and a web server, through the exchange of a stream of data packets. The use of a TCP connection enables the transfer of large data items, which exceed the size limits of a single packet, including video clips, email attachments, or music files. Although certain web pages are sufficiently small to fit within a single packet, they are typically transmitted over TCP connections for enhanced reliability and error control.

TCP resets

In a stream of packets of a TCP connection, each packet contains a TCP header. Each of these headers contains a bit known as the "reset" (RST) flag. [3] In most packets, this bit is set to 0 and has no effect. However, if this bit is set to 1, it indicates to the receiving computer that the computer should immediately stop using the TCP connection; it should not send any more packets using the connection's identifying numbers, called ports, and discard any further packets it receives with headers indicating they belong to that connection. A TCP reset kills a TCP connection near instantly.

This tool serves a specific function within the realm of computer networking, particularly in managing TCP connections. A notable use case arises when a computer, referred to as 'Computer A,' experiences a system crash during an active TCP connection. Consequently, the corresponding computer on the other end of the connection, designated as 'Computer B,' remains unaware of the crash and continues to transmit TCP packets. Upon rebooting, Computer A receives these residual packets from the disrupted connection. However, lacking the original context and unable to process them appropriately, Computer A typically issues a TCP reset signal to Computer B. This reset informs Computer B of the failure in the connection, prompting the user at Computer B to either attempt reestablishing the connection or take alternative actions as necessary.

Forging TCP resets

In the scenario above, the TCP reset bit was sent by a computer that was one of the connection endpoints. It is possible for a third computer to monitor the TCP packets on the connection and then send a "forged" packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a convincing forged value for the fake reset to trick the endpoint into closing the TCP connection. Properly formatted forged TCP resets can be a very effective way to disrupt any TCP connection that the forger can monitor.

Legitimate use

One application of a forged TCP reset is to maliciously disrupt TCP connections without the consent of the two parties that own the endpoints. However, network security systems using forged TCP resets have been designed as well. A prototype "Buster" software package was demonstrated in 1995 that would send forged resets to any TCP connection that used port numbers in a short list. Linux volunteers proposed doing something similar with Linux firewalls in 2000, [3] and open source software, such as Snort used TCP resets to disrupt suspicious connections as early as 2003. [4]

Comcast Controversy

By late 2007, Comcast began using forged TCP resets to cripple peer-to-peer and certain groupware applications on their customers' computers. [5] This started a controversy, which was followed by the creation of the Network Neutrality Squad (NNSquad) by Lauren Weinstein, Vint Cerf, David Farber, Craig Newmark and other well-known founders and champions of openness on the Internet. [6] In 2008, the NNSquad released the NNSquad Network Measurement Agent, a Windows software program written by John Bartas, which could detect Comcast's forged TCP resets and distinguish them from real endpoint-generated resets. The technology to detect the resets was developed from the earlier open-source "Buster" software which used forged resets to block malware and ads in web pages.

In January 2008, the FCC announced it would investigate Comcast's use of forged resets, and, on August 21, 2008, it ordered Comcast to terminate the practice. [7]

Prevention

By encrypting connections through the utilization of a VPN, the attacker has to do a TCP reset attack on all encrypted connections, causing collateral damage.[ citation needed ]

See also

Related Research Articles

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

In computing, traceroute and tracert are computer network diagnostic commands for displaying possible routes (paths) and measuring transit delays of packets across an Internet Protocol (IP) network. The history of the route is recorded as the round-trip times of the packets received from each successive host in the route (path); the sum of the mean times in each hop is a measure of the total time spent to establish the connection. Traceroute proceeds unless all sent packets are lost more than twice; then the connection is lost and the route cannot be evaluated. Ping, on the other hand, only computes the final round-trip times from the destination point.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

<span class="mw-page-title-main">Network address translation</span> Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

In computing, a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature often used in non-commercial and business networks.

Explicit Congestion Notification (ECN) is an extension to the Internet Protocol and to the Transmission Control Protocol and is defined in RFC 3168 (2001). ECN allows end-to-end notification of network congestion without dropping packets. ECN is an optional feature that may be used between two ECN-enabled endpoints when the underlying network infrastructure also supports it.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and exploit vulnerabilities.

A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer.

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

Hole punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

In computer networking, a port or port number is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port at the software level is identified for each transport protocol and address combination by the port number assigned to it. The most common transport protocols that use port numbers are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP); those port numbers are 16-bit unsigned numbers.

In networking, a black hole, also known as a block hole, refers to a place in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient.

An ICMP tunnel establishes a covert connection between two remote computers, using ICMP echo requests and reply packets. An example of this technique is tunneling complete TCP traffic over ping requests and replies.

Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in Internet Protocol Version 4 (IPv4). However, all modern operating systems use it on endpoints. In IPv6, this function has been explicitly delegated to the end points of a communications session. As an extension to the standard path MTU discovery, a technique called Packetization Layer Path MTU Discovery works without support from ICMP.

Packet injection in computer networking, is the process of interfering with an established network connection by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

References

  1. Clayton, Richard; Murdoch, Steven J.; Watson, Robert N. M. (2006). Danezis, George; Golle, Philippe (eds.). Ignoring the Great Firewall of China (PDF). Privacy Enhancing Technologies. Lecture Notes in Computer Science. Vol. 4258. Cambridge, UK: Springer Berlin. pp. 20–35. doi:10.1007/11957454_2. ISBN   978-3-540-68793-1 via Department of Computer Science and Technology.
  2. Transmission Control Protocol (TCP). STD 7.
  3. 1 2 "May 2000 Linux discussion archives".
  4. Berry, Josh (2004-02-28). "TCP Resets". snort-users (Mailing list).
  5. Svensson, Peter (19 Oct 2007). "Comcast blocks some Internet traffic". NBC News .
  6. NNSquad home page
  7. "Commission Orders Comcast To End Discriminatory Network Management Practices" (PDF).
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.