# Ignore foreign tcp reset packets?

## ToeiRei

I have read about some tools which are trying to cut tcp connections by sending tcp reset packets to booth ends of the connection to provoke a shutdown of it. So I am playing around with the idea of examining the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from somewhere else and ignore it.

So the big question is: is this possible...?

Rei

----------

## gerdesj

If something is able to do a man in the middle like this then it will have to be quite sophisticated.  

Even if you could get your end to ignore "bad" RSTs, what about the other end?  

The only people I can think of that could do this sort of thing routinely would be your ISP. In general the legality of this sort of thing is highly questionable.

Some hints as to what these tools are might be useful.

Cheers

Jon

----------

## bunder

i would imagine he's talking about sandvine and other ISP QoS devices meant to kill the usage of bittorrent and other P2P networks.

----------

## ToeiRei

@bunder: you're partially right. I have found that tool:

* net-analyzer/cutter

     Available versions:  1.03-r1

     Homepage:            http://www.lowth.com/cutter/

     Description:         TCP/IP Connection cutting on Linux Firewalls and Routers

and I just want to know if there's a clean way against such 'foreign connection termination'

----------

## manaka

You should take into account that the number of hops changes dynamically on an Internet... So the TTL you see can change even if you are nor subject to RST attacks.

BTW, someone in the middle could easily forge the TTL of the injected packets... So they could circumvent this kind of TTL protection...

Other tools for the collection  :Wink: ... tcpkill and tcpnice from net-analyzer/dsniff.

----------

