[fw-wiz] Best way to drop forged TCP packets with RST flag set from comcast traffic shaping devices with iptables



Hi all,



I found this while reading Slashdot today, and decided to ask about it.



http://systems.cs.colorado.edu/mediawiki/index.php/Broadband_Network_Man
agement



I don't really want to wait for the results of any FCC investigation
that may or may not find that Comcast is violating fair use policy,
network neutrality, etc.



I would like to use IP tables to start blocking these forged TCP packets
as they hit the external interface of a Linux firewall.



I've noticed a lot of different functionality that can be enabled or
modularized in the 2.6 kernel for netfilter. I.E. Rate limiting, Flag
matching support, state match etc.



What is the best way to configure the netfilter options in the kernel
config to identify and drop these invalid TCP RST packets? What
IPtables rules can be used to implement and filter these forged packets?



It seems that using the old method that I'm aware of, (Filtering these
packets because they are not part of an already related or established
connection) is no longer adequate. This seems to be a very transparent
man in the middle centric approach that Comcast is using.



One method that they seem to be using which is particularly interesting
is that the TTL value set in the incoming forged TCP packets, often has
a specific static value. I.E. 30



Another netfilter option that can be enabled is TTL match support. Can
this functionality be used to find these packets? Could TTL match
support be used in combination with rate match support to detect if more
than X TCP packets with RST flag set and with a TTL value of 30 arrived
in a given time frame? I.E. more than 1 every five seconds, and if so
drop them? Would the packets have to be queued in order for this to
work?

Would this be a reliable way to find and block forged packets?



Please share your thoughts. I'm just entertaining a few ideas here.



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Terrible NFS performance under 9.2-RELEASE?
    ... Debian tuned to the gills. ... the edge and with FreeBSD's illustrious history as the NFS ... correlation between NFS writes and TCP packets? ...
    (freebsd-net)
  • Re: Terrible NFS performance under 9.2-RELEASE?
    ... Debian tuned to the gills. ... correlation between NFS writes and TCP packets? ...
    (freebsd-net)
  • Re: [fw-wiz] Best way to drop forged TCP packets with RST flag set from comcast traffic shaping
    ... If Comcast is sending out RST packets, they are sending them out to both the source and destination. ... I would like to use IP tables to start blocking these forged TCP packets as they hit the external interface of a Linux firewall. ... Could TTL match support be used in combination with rate match support to detect if more than X TCP packets with RST flag set and with a TTL value of 30 arrived in a given time frame? ...
    (Firewall-Wizards)
  • Re: Real time streaming
    ... Its actually an ASF stream which is a kind of http pseudo header and ... In my question I meant the tcp packets. ... Http content, http header, tcp layer or ip layer? ...
    (microsoft.public.win32.programmer.networks)
  • Re: How to drop?
    ... >> In the TCP packets, can we drop packets that have a number in the mail ... > At the TCP level there is no such thing as mail accounts. ... filters to deal with the tagged mail. ...
    (comp.os.linux.security)