TCP reset attack

TCP reset attack, also known as a forged TCP reset or spoofed TCP reset, is a way to terminate a TCP connection by sending a forged TCP reset packet. This tampering technique can be used by a firewall or abused by a malicious attacker to interrupt Internet connections.

The Great Firewall of China, and Iranian Internet censors are known to use TCP reset attacks to interfere with and block connections as a major method to carry out Internet censorship.

Background
The Internet is a system for individual computers to exchange electronic messages, or packets of data. This system includes hardware to carry the messages (such as copper and fiber optics cables) and a formalized system for formatting the messages, called "protocols". The basic protocol used on the Internet is the Internet Protocol (IP), which is usually coupled with additional protocols such as TCP (Transmission Control Protocol ) or UDP (User Datagram Protocol). TCP/IP is the protocol set used for email and web browsing. Each protocol has a block of information, called a header, included near the front of each packet. Headers contain information about which computer sent the packet, which computer should receive it, the packet size, etc.

TCP is commonly employed alongside IP (Internet Protocol) to establish a two-way virtual connection between two computers. As a connection-oriented protocol, TCP necessitates the establishment of a logical connection between two processes prior to the exchange of data. This is in contrast to UDP, which is a connection-less protocol within the IP suite. TCP/IP sockets facilitate communication between computers, such as between a workstation with a browser and a web server, through the exchange of a stream of data packets. The use of a TCP connection enables the transfer of large data items, which exceed the size limits of a single packet, including video clips, email attachments, or music files. Although certain web pages are sufficiently small to fit within a single packet, they are typically transmitted over TCP connections for enhanced reliability and error control.

TCP resets
In a stream of packets of a TCP connection, each packet contains a TCP header. Each of these headers contains a bit known as the "reset" (RST) flag. In most packets, this bit is set to 0 and has no effect. However, if this bit is set to 1, it indicates to the receiving computer that the computer should immediately stop using the TCP connection; it should not send any more packets using the connection's identifying numbers, called ports, and discard any further packets it receives with headers indicating they belong to that connection. A TCP reset kills a TCP connection near instantly.

This tool serves a specific function within the realm of computer networking, particularly in managing TCP connections. A notable use case arises when a computer, referred to as 'Computer A,' experiences a system crash during an active TCP connection. Consequently, the corresponding computer on the other end of the connection, designated as 'Computer B,' remains unaware of the crash and continues to transmit TCP packets. Upon rebooting, Computer A receives these residual packets from the disrupted connection. However, lacking the original context and unable to process them appropriately, Computer A typically issues a TCP reset signal to Computer B. This reset informs Computer B of the failure in the connection, prompting the user at Computer B to either attempt reestablishing the connection or take alternative actions as necessary.

Forging TCP resets
In the scenario above, the TCP reset bit was sent by a computer that was one of the connection endpoints. It is possible for a third computer to monitor the TCP packets on the connection and then send a "forged" packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a convincing forged value for the fake reset to trick the endpoint into closing the TCP connection. Properly formatted forged TCP resets can be a very effective way to disrupt any TCP connection that the forger can monitor.

Legitimate use
One application of a forged TCP reset is to maliciously disrupt TCP connections without the consent of the two parties that own the endpoints. However, network security systems using forged TCP resets have been designed as well. A prototype "Buster" software package was demonstrated in 1995 that would send forged resets to any TCP connection that used port numbers in a short list. Linux volunteers proposed doing something similar with Linux firewalls in 2000, and open source software, such as Snort used TCP resets to disrupt suspicious connections as early as 2003.

Comcast Controversy
By late 2007, Comcast began using forged TCP resets to cripple peer-to-peer and certain groupware applications on their customers' computers. This started a controversy, which was followed by the creation of the Network Neutrality Squad (NNSquad) by Lauren Weinstein, Vint Cerf, David Farber, Craig Newmark and other well-known founders and champions of openness on the Internet. In 2008, the NNSquad released the NNSquad Network Measurement Agent, a Windows software program written by John Bartas, which could detect Comcast's forged TCP resets and distinguish them from real endpoint-generated resets. The technology to detect the resets was developed from the earlier open-source "Buster" software which used forged resets to block malware and ads in web pages.

In January 2008, the FCC announced it would investigate Comcast's use of forged resets, and, on August 21, 2008, it ordered Comcast to terminate the practice.

Prevention
By encrypting connections through the utilization of a VPN, the attacker has to do a TCP reset attack on all encrypted connections, causing collateral damage.