how to ignore TCP RST

hi

I think someone on my network may be screwing around and sending TCP
RST to all my youtube sessions. I'm not entirely sure they are injected
packets. In any case, I like to try to ignore them and see if they are
real injected by someone. (It didn't happen with google video.)
If after ignoring them everything still work, that means someone is
definitely screwing around.
How to ignore those packets using iptables?
Thanks.

(E-Mail Removed) writes:

> I think someone on my network may be screwing around and sending TCP
> RST to all my youtube sessions. I'm not entirely sure they are injected
> packets. In any case, I like to try to ignore them and see if they are
> real injected by someone. (It didn't happen with google video.)
> If after ignoring them everything still work, that means someone is
> definitely screwing around.
> How to ignore those packets using iptables?

Something like,

iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

....? Probably close to it anyway.

-- Mark

On 10 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, (E-Mail Removed)
wrote:

>I think someone on my network may be screwing around and sending TCP
>RST to all my youtube sessions. I'm not entirely sure they are injected
>packets.

Use a packet sniffer, and look at the MAC (hardware) address of the packets.

>In any case, I like to try to ignore them and see if they are real
>injected by someone. (It didn't happen with google video.) If after
>ignoring them everything still work, that means someone is definitely
>screwing around.

You say "my network". Is it possible that your connection is being blocked
by your "upstream"? You should consult with the network administrators.

>How to ignore those packets using iptables?

I don't think anyone has ever tried, but see the packet-filtering-HOWTO
from http://www.iptables.org/documentation/HOWTO/

Old guy

Moe Trin wrote:
> On 10 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> <(E-Mail Removed) .com>, (E-Mail Removed)
> wrote:
>
> >I think someone on my network may be screwing around and sending TCP
> >RST to all my youtube sessions. I'm not entirely sure they are injected
> >packets.
>
> Use a packet sniffer, and look at the MAC (hardware) address of the packets.
>
> >In any case, I like to try to ignore them and see if they are real
> >injected by someone. (It didn't happen with google video.) If after
> >ignoring them everything still work, that means someone is definitely
> >screwing around.
>
> You say "my network". Is it possible that your connection is being blocked
> by your "upstream"? You should consult with the network administrators.

Something is strange. The only way to inject TCP RST is upstream
firewalls or stateful routers. Why would anyone block Youtube? I mean
Youtube was bought by Google.
I get frequent "connection reset by peer" from Youtube. Can Youtube
servers be that flaky? If my ISP is doing this, can I sue them? Damn,
this is difficult to sort through.

>
> >How to ignore those packets using iptables?
>
> I don't think anyone has ever tried, but see the packet-filtering-HOWTO
> from http://www.iptables.org/documentation/HOWTO/
>
> Old guy

Moe Trin wrote:
> On 10 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> <(E-Mail Removed) .com>, (E-Mail Removed)
> wrote:
>
> >I think someone on my network may be screwing around and sending TCP
> >RST to all my youtube sessions. I'm not entirely sure they are injected
> >packets.
>
> Use a packet sniffer, and look at the MAC (hardware) address of the packets.

MAC is useless. Kids can fake that.

>
> >In any case, I like to try to ignore them and see if they are real
> >injected by someone. (It didn't happen with google video.) If after
> >ignoring them everything still work, that means someone is definitely
> >screwing around.
>
> You say "my network". Is it possible that your connection is being blocked
> by your "upstream"? You should consult with the network administrators.
>
> >How to ignore those packets using iptables?
>
> I don't think anyone has ever tried, but see the packet-filtering-HOWTO
> from http://www.iptables.org/documentation/HOWTO/
>
> Old guy

(E-Mail Removed) wrote:
> Moe Trin wrote:
> > On 10 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> > <(E-Mail Removed) .com>, (E-Mail Removed)
> > wrote:
> >
> > >I think someone on my network may be screwing around and sending TCP
> > >RST to all my youtube sessions. I'm not entirely sure they are injected
> > >packets.
> >
> > Use a packet sniffer, and look at the MAC (hardware) address of the packets.
> >
> > >In any case, I like to try to ignore them and see if they are real
> > >injected by someone. (It didn't happen with google video.) If after
> > >ignoring them everything still work, that means someone is definitely
> > >screwing around.
> >
> > You say "my network". Is it possible that your connection is being blocked
> > by your "upstream"? You should consult with the network administrators.
>
> Something is strange. The only way to inject TCP RST is upstream
> firewalls or stateful routers. Why would anyone block Youtube? I mean
> Youtube was bought by Google.
> I get frequent "connection reset by peer" from Youtube. Can Youtube
> servers be that flaky? If my ISP is doing this, can I sue them? Damn,
> this is difficult to sort through.

If I'm not mistaken this kind of attack can only done by major gateways
or routers.
I hate to think some player is so shady as to do something like this.
Else, Youtube is doing it.

>
> >
> > >How to ignore those packets using iptables?
> >
> > I don't think anyone has ever tried, but see the packet-filtering-HOWTO
> > from http://www.iptables.org/documentation/HOWTO/
> >
> > Old guy

(E-Mail Removed) wrote:
> (E-Mail Removed) wrote:
> > Moe Trin wrote:
> > > On 10 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> > > <(E-Mail Removed) .com>, (E-Mail Removed)
> > > wrote:
> > >
> > > >I think someone on my network may be screwing around and sending TCP
> > > >RST to all my youtube sessions. I'm not entirely sure they are injected
> > > >packets.
> > >
> > > Use a packet sniffer, and look at the MAC (hardware) address of the packets.
> > >
> > > >In any case, I like to try to ignore them and see if they are real
> > > >injected by someone. (It didn't happen with google video.) If after
> > > >ignoring them everything still work, that means someone is definitely
> > > >screwing around.
> > >
> > > You say "my network". Is it possible that your connection is being blocked
> > > by your "upstream"? You should consult with the network administrators.
> >
> > Something is strange. The only way to inject TCP RST is upstream
> > firewalls or stateful routers. Why would anyone block Youtube? I mean
> > Youtube was bought by Google.
> > I get frequent "connection reset by peer" from Youtube. Can Youtube
> > servers be that flaky? If my ISP is doing this, can I sue them? Damn,
> > this is difficult to sort through.
>
> If I'm not mistaken this kind of attack can only done by major gateways
> or routers.
> I hate to think some player is so shady as to do something like this.
> Else, Youtube is doing it.

Is there a difference between these two?
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

>
> >
> > >
> > > >How to ignore those packets using iptables?
> > >
> > > I don't think anyone has ever tried, but see the packet-filtering-HOWTO
> > > from http://www.iptables.org/documentation/HOWTO/
> > >
> > > Old guy

On 11 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, (E-Mail Removed)
wrote:

>Moe Trin wrote:

>> Use a packet sniffer, and look at the MAC (hardware) address of the packets.
>
>MAC is useless. Kids can fake that.

The MAC is _ONLY_ on the local wire. Is this some host on your wire, or is
it the router to the world?

In the other post you write:

>> Something is strange. The only way to inject TCP RST is upstream
>> firewalls or stateful routers. Why would anyone block Youtube? I mean
>> Youtube was bought by Google.

We block it at work because it's not work related. It's also a bandwidth
cost I don't need at home (I have other, more useful packets to shift over
the wire).

>> I get frequent "connection reset by peer" from Youtube. Can Youtube
>> servers be that flaky? If my ISP is doing this, can I sue them? Damn,
>> this is difficult to sort through.

They're still using the stuff in San Mateo, not Mountain View. Totally
different pipe.

>If I'm not mistaken this kind of attack can only done by major gateways
>or routers.

ANYWHERE along the path - including on your own LAN. Actually, if they can
guess sequence numbers, it can be done from anywhere in the world.

>I hate to think some player is so shady as to do something like this.
>Else, Youtube is doing it.

Hard to say - I don't use it

Old guy

Moe Trin wrote:
> On 11 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> <(E-Mail Removed) .com>, (E-Mail Removed)
> wrote:
>
> >Moe Trin wrote:
>
> >> Use a packet sniffer, and look at the MAC (hardware) address of the packets.
> >
> >MAC is useless. Kids can fake that.
>
> The MAC is _ONLY_ on the local wire. Is this some host on your wire, or is
> it the router to the world?
>
> In the other post you write:
>
> >> Something is strange. The only way to inject TCP RST is upstream
> >> firewalls or stateful routers. Why would anyone block Youtube? I mean
> >> Youtube was bought by Google.
>
> We block it at work because it's not work related. It's also a bandwidth
> cost I don't need at home (I have other, more useful packets to shift over
> the wire).
>
> >> I get frequent "connection reset by peer" from Youtube. Can Youtube
> >> servers be that flaky? If my ISP is doing this, can I sue them? Damn,
> >> this is difficult to sort through.
>
> They're still using the stuff in San Mateo, not Mountain View. Totally
> different pipe.
>
> >If I'm not mistaken this kind of attack can only done by major gateways
> >or routers.
>
> ANYWHERE along the path - including on your own LAN. Actually, if they can
> guess sequence numbers, it can be done from anywhere in the world.

Not exactly true, only the routers that my packets travel on can do it.
Randomly sending TCP RST is just wasting bandwidth.

>
> >I hate to think some player is so shady as to do something like this.
> >Else, Youtube is doing it.
>
> Hard to say - I don't use it
>
> Old guy