Network Measurement Tool Detects Reset Packets

kickassweb writes "If you think your ISP is sniffing packets, or worse yet, sending reset packets to stop torrents, there's now a beta Network Measurement Tool to detect them, courtesy of Lauren Weinstein of the Net Neutrality Squad. It's released under the LGPL, and runs under Win2K, XP, and Vista. Quoting: 'While the reset packet detection system included in this release is of interest, NNSquad views this package as more important in the long run as a development base for a broad range of network measurement functionalities and associated communications and analysis efforts.'"

Slashdotters would laud this, but...

[elrous0 (869638)]

Without a Linux version, it's obviously the work of Satan.

Re:

[morgan_greywolf (835522)]

Uh...it's LGPL. They give you the source. You wanna Linux version? Port it.

Re:Slashdotters would laud this, but...

[nmg196 (184961)]

I hate it when people say "just port it" just because something is open source - Like every single computer user is capable of writing low level network code for any platform. I suspect that more than 99.9% of people of people who read slashdot would not stand a hope in hell of "porting it".

Re:Slashdotters would laud this, but...

[morgan_greywolf (835522)]

I hate it when people say "just port it" just because something is open source - Like every single computer user is capable of writing low level network code for any platform. I suspect that more than 99.9% of people of people who read slashdot would not stand a hope in hell of "porting it".

And, yet, at least 50-75% of those (probably much, much more) 99.9% are capable of learning how to do the work. The Linux TCP/IP stack, NIC drivers, etc., are fully open source. There are published specifications, docs, the whole nine yards. Read your RFCs. They're all online.

Programming C is just not that difficult, especially for anyone who already knows how to code in at least one other language.

Don't know how to code? There are tons of tutorials, books, and more on the Web, at your library, at your local bookstore and from e-commerce vendors everywhere.

If you have a brain, and an IQ of at least, say 115 or so, you have no excuse.

Re:Slashdotters would laud this, but...

[Bill_the_Engineer (772575)]

I would like to give the benefit of the doubt to the original poster and interpret his comments this way:

If there was a ready made package for me to use, I would gladly help the monitoring effort. However, I find the mantra "just port it" not only a reactionary response, but also totally unrealistic.

Don't know how to code? There are tons of tutorials, books, and more on the Web, at your library, at your local bookstore and from e-commerce vendors everywhere.

If you have a brain, and an IQ of at least, say 115 or so, you have no excuse.

I find this totally hilarious and would have modded you funny if I had the points to give. You are a comic genius using the absurd to humorously make a point...

I mean it's like saying "If you are capable of reading all the books available on construction and building codes, then there is no excuse for you not being able to build your own house."

Of course I could be wrong and misinterpreted both of your responses, in that case nevermind...

Re:Slashdotters would laud this, but...

[Inner_Child (946194)]

If you have a brain, and an IQ of at least, say 115 or so, you have no excuse.

Maybe your time is worthless, but I actually have things that I have to do. Learning to code requires time that I (and I'm sure many others) just don't have.

Re:

[Frank T. Lofaro Jr. (142215)]

A quote from the UNIX haters book:

http://www.art.net/~hopkins/Don/unix-haters/whinux/your-time.html [art.net]

Linux is Only Free If Your Time is Worthless

Re:

[Rycross (836649)]

Yeah pretty much. My time is worth something to me, and I will pay to have someone save me time, if I deem the amount of time saved worthy of the price. Whats wrong with that?

Weeping

[camperdave (969942)]

And, yet, at least 50-75% of those (probably much, much more) 99.9% are capable of learning how to do the work.

I weep for the future if 25-50% of people are incapable of learning.

Re:Slashdotters would laud this, but...

[blhack (921171)]

If you have a brain, and an IQ of at least, say 115 or so, you have no excuse.

Thank you for completely trivializing a skill that some of us spend our entire lives perfecting.

Seriously, it is this sort of mentality that is killing tech. You DO have to be extremely smart/dedicated to do really low level CS work. You DO have to have a pretty heavy mathematics background to do any really serious code work and it is NOT something that you can "Learn in 7 days" no matter what the books you bought at borders are telling you.

Re:

[wealthychef (584778)]

It takes a long time to learn how to port code. You are totally understating the amount of work it takes to get from user to programmer.

Re:

[Mister Whirly (964219)]

If you want convenient software packages that are ready to go with absolutely no work on your end, I would suggest using Windows or OS X. If you know absolutely zero about programming, why chose a programmer's operating system? I mean really, this IS Slashdot where Open Source is the Greatest Thing Ever(TM) and can save the entire world from any ills...

Re:

[sjames (1099)]

Then they can HIRE someone to port it. Perhaps a few people in the same boat can chip in together to pay for it to be ported.

The tool is probably written for Windows because Linux already has decent network analysis tools as part of most distros.

Re:Slashdotters would laud this, but...

[lintux (125434)]

As usually, Linux already has tools like this for ages, one just has to know how to use them:

tcpdump 'tcp[13] & 4 != 0'

No need to invoke Satan

[Morgaine (4316)]

> Without a Linux version, it's obviously the work of Satan.

Not really. It's just the work of somebody who doesn't hold portability as an important requirement.

Sometimes this happens because they don't have the means to test on other platforms. Sometimes it's because they're so narrowly focussed that they're not even aware that there's more to computing than their own platform. Some people are simply too lazy, or lacking in computing skills, to write portable applications. And quite frequently it's t

Re:

[Mister Whirly (964219)]

Or it is simply a matter of numbers. Windows = 85%+ marketshare so therefore writing a package for Windows = millions and millions of potential more users than writing a package for Linux. It's a simple explanation, especially if you apply Heinlein's Razor.

Ignoring reset packets?

[Ojuicer (1298565)]

First the Chinese firewall, and now ISPs closer to home.
Of course the ISPs shouldn't be allowed to spoof any packets, but what would be the consequence of ignoring all reset packets on a home network?

RST blocking?

[Applekid (993327)]

IANANG (I Am Not A Network Guru) but, what harm could happen if, say, all reset packets were just ignored and dropped by the network stack? All the hubbub about figuring out if your ISP is sabotaging you seems less useful than just blocking the shanangans and moving on with your life.

Re:RST blocking?

[cduffy (652)]

Without RST packets, how are you supposed to know if the remote host is legitimately closing the connection?

Re:

[Ed Avis (5917)]

Without RST packets, how are you supposed to know if the remote host is legitimately closing the connection?

Um, IPsec?

Point is, if your ISP spoofs RST packets, you cannot know when the remote host is legitimately closing the connection. If you get such a packet it could be genuine or it could be a fake. So it doesn't tell you much. You need some means for the remote host to sign every packet it sends out so they can't be spoofed, or else stop trusting them.

Re:

[by Anonymous Coward]

Opportunistic IPSec runs into the problem that you need a pre-shared secret ("PSK") or a public key infrastructure ("PKI"), otherwise malicious persons will simply do man-in-the-middle attacks on the key exchange, so they can do deep inspection of the encrypted traffic anyway (they just have to add decryption to the inspection process).

The net result of IPSec (or TLS) without strong authentication of both parties is that each packet consumes considerably more energy on the transmit and receive end systems,

Re:

[justthinkit (954982)]

IAANANG but what if, and I'm just spitballing here, an alternate network stack is written. It allows user-designated programs to tap into the "sample everything" trough, and does standard network stack stuff for every other program. When you install AltNS it asks for some 2000 byte random string and you have to provide that on a case-by-case basis whenever you want to allow a new progie to snoop everything. Ok, I worded that like crap but I think my drift has been cast, to the four sheets.

Re:

[tatsu69 (59184)]

They send you a FIN packet. RST is only for exceptional situations.

Re:

[Eponymous Bastard (1143615)]

Wait for the FIN packet? ...But apparently Linux uses RSTs anyway...

Oh, I know, wait for the second RST. When you get one, ignore and respond with an ACK or keepalive. IIRC, if the other side did close the connection, any extra packet is answered with another RST (Not sure about an empty ACK though).

If you receive a packet with a higher sequence number, the original RST was fake. If you get a second RST you acknowledge and close.

I'm not sure if you could do this at the firewall level or if you'd need to mod

Re:

[Hal_Porter (817932)]

the internet doesn't come to a screeching halt when an RST packet happens to be dropped somewhere...

No, because there's a timeout in the TIME_WAIT state. As far as I can tell RST packets are a way to break the connection and allow the TCP/IP stack to know that the socket is no longer in use.

I think if you ignored RST packets you'd end up with more sockets stuck in TIME_WAIT rather than being closed. Of course you could just increase the size of the socket table to compensate for entries getting stuck in TIME_WAIT or decrease the timeout or both.

But actually I found another problem. The forged RST packets

Re:RST blocking?

[Zocalo (252965)]

Assuming that you have a device capable of doing so, which I doubt many SoHo router/firewalls are, then there are not too many issues with dropping RST packets, and none of the them are show stoppers. It'll take a little longer before your web browser or whatever can determine that the remote site is genuinely down or otherwise refusing connections but that's about it from the "end-user" point of view. If you have a Linux proxy box however, then IPTables is perfectly capable of doing this for you, and can even do so in a sensible way - ie. just for BitTorrent traffic, just to pick a protocol at random.

Re:RST blocking?

[yabos (719499)]

If you can do that with iptables then you could do it with a home router and a 3rd party firmware on it. DD-WRT has iptables and I believe Tomato does as well.

Re:

[Alioth (221270)]

I'm surprised a UDP based filesharing protocol hasn't emerged because of this, allied with an automatic system that signs each UDP packet. That way, if the ISP got "smart" and injected fake UDP packets containing the command to end the transfer, it could easily be determined as fake since its signature would be incorrect.

The evolvong nature of "open"

[utnapistim (931738)]

This just highlights the evolving nature of open ... protocols? (it's more than the software).
I believe new software will appear that works around the next attempt to block torrents, and new software to go arround the one after that ...
If there is a big-enough interest in code/protocol changes, and the code / protocol is open, you can't "put a stop" to it.

Well ... not for long.

Not sure what the point is

[Moraelin (679338)]

I'm not entirely sure what your point is, and if it's supposed to be a good or a bad thing.

What would happen on a closed proprietary protocol? (E.g., let's imagine that MS had pursued their initial idea of makingt a MS net instead of the Internet, or that AOL/Compuserve/whatever had never gone TCP/IP and managed to win on their own, or that we all were on the French minitel. Or, heck, that each ISP had their own protocol and proprietary browser, and just converted to and from it. At least one did try to convert the graphics like that, and at least one is currently re-encoding movies, so it's not a huge stretch of imagination.)

Well, then you'd be pretty much in the hands of whoever owns the protocol, i.e., most likely the ISP. If you were on, say, a proprietary AOL network, which works only with proprietary AOL software, and uses AOL's own proprietary protocols, then you're completely at their mercy. If they want to reset your connections, or whatever else, what are you going to do about it?

Of course, you could reverse-engineer their protocols and patch their programs, which is a hell of a lot more expense and effort than with the open protocols. Except then they could:

1. Just change the protocol from one version to another, to break your changes. (AOL actually did this for a while to keep breaking MS's attempts of making their Windows Messenger interoperable with AIM.)

2. Sue you under DMCA for hacking into their network and bypassing their checks. (Seriously, much smaller attempts at reverse-engineering a protocol resulted in DMCA lawsuits.)

So basically at best you'd have to bet a _lot_ on, well, how sympathetic a judge would be to your view that you have a right to bypass the usage or access restrictions on privately owned servers, to download more than you've bought, and to hack their software to that end. I wouldn't take it as a given.

So basically open software at least gives you a fighting chance at all. Yes, they can keep modifying their implementation, but so can you. In the closed version, they own the software and the protocol, they can change it, but _you_ can't.

Open standards even put a limit on how far they can take technique #1 above, because at the end of the day, they still have to remain compatible with a metric buttload of software and hardware that they don't control. In the all proprietary version, if they want to change the protocol and software _completely_, and leave the old channel open just for downloading the new software, they can.

Re:

[utnapistim (931738)]

I'm not entirely sure what your point is, and if it's supposed to be a good or a bad thing.

It's a good thing: due to the open nature of the torrent protocol, I think we will see changes in the torrent clients, that will make the current sabotage attempts obsolete.

Grammar?

[Thornburg (264444)]

Um, sorry, but "Network Measurement Tool Detect Reset Packets" is not a proper grammatical structure. It could be "Network Measurement Tool Detects Reset Packets" or "Network Measurement Tool to Detect Reset Packets" or several other things, but right now it has a problem.

Aside from that, it's great the people develop tools like this, but very surprising to see this be Windows-only.

Re:Grammar?

[Vectronic (1221470)]

From The Site:

Please let us know if you're interested in coordinating on ports to other platforms, such as Linux, BSD, and Mac, or embedded hardware (e.g. WRT54G router).

Special thanks to John Bartas for all of his diligent and continuing work on this software for NNSquad.

So, I would assume that its just the one guy working on it (at the moment) which would explain why its Windows Only, its probably his chosen platform.

Re:

[TooMuchToDo (882796)]

Or, perhaps, he just wanted to make it available to a wider audience. Linux on the desktop usage is still a fraction of all desktops.

Re:

[Mister Whirly (964219)]

Bingo. Give that man a cigar. The simplest explanation is most often the correct one.

Satan Prevails - A distributed Get Your Hands Off

[itsybitsy (149808)]

How about setting up a firewall with our own deep packet inspection and reporting system? That way we can collectively scan, identify, analyze, report to a central site, aggregate the results, perform large scale analysis, and report the full results on all kinds of attacks on these firewalls around the world.

A distributed Get Your Hands Off My Network. This information can be used to provide Objective Evidence for Court Cases Against Aggressive ISP and Those Who Pretend To Be The Governments And Homeland Security Departments of The ~192 Imagined Countries Around The World. It's about time that these pretenders, who do real harm to other people in the world to, know that they are not the only ones with some power. We tech geeks say hands off our Internets and we are watching and reporting on YOU BIG BROTHER!

Power the the Geeks.

Network Measurement Tool Detect Reset Packets

[HPUXCowboy (735911)]

I would point out that a tool has existed for years that possessed this capability AND has been available on BOTH Linux (*NIX) and M$ platforms. It's called Wireshark (formerly Ethereal). I will offer the caveat that you had to know a bit about TCP/IP protocol to use this tools but, there it is.

Re: Network Measurement Tool Detect Reset Packets

[CogDissident (951207)]

Well yeah, but having a tool where you can have joe-average download it, press a button, and get all upset at Comcast has much more value.

The race is on

[bytesex (112972)]

Because, of course, ISPs could also forge legitimate looking TCP RST packets.

Re:

[Vectronic (1221470)]

Yeah, and when that fails just cut the internet off... "just doing some routine maintenance"

Im becomming suspicious of my ISP for that reason, aside from obvious traffic shaping (which I usually dont mind too much), they also just drop the internet entirely but leave the network intact, so any computers still think there is internet but it goes no further than the ISP, upon which I start fucking with their servers until I get internet back. (you know, 'boredom')

Re:

[jonaskoelker (922170)]

Because, of course, ISPs could also forge legitimate looking TCP RST packets.

If you read the methodology [nnsquad.org] page, you'll learn that:

It's much harder to fake the timing of a spoofed reset.

This round trip time (RTT) is tracked internally by TCP protocol layers, however it can also be measured by external monitoring devices or software at the endpoints.

When sending bulk data during a TCP connection, the RTT between two TCP endpoints usually settles into a narrow, predictable range. Spoofed resets which are injected into the stream will usually have an RTT well below the measured average.

Reset packet spoofers could attempt to evade this detection technique and improve their "stealthiness" by first measuring the RTT of a connection that they are planning to disrupt, then delaying the transmission of their spoofed reset until timing falls within the "expected" RTT. The problem with this approach is the significant risk that the spoofed reset will arrive too late from the standpoint of the receiving endpoint.

In short, spoofed resets have only a relatively narrow time window in which they can be both effective at disrupting connections and simultaneously be resistant to detection as potentially anomalous events.

So yeah, in theory the ISP could, but anomalies are detected in a way that's hard to get around and still work.

Throttling should not use RESET

[redelm (54142)]

Not that [ISP] managment have ever been known for great intelligence, but throttling connections via RESET is just plain dumb. The client will just retry and extra data transferred.

The correct (and difficult to detect) way of throttling is by delaying ACK packets a few ms. Then normal TCP congestion control does all the nice throttling for you.

The ethics of throttling are a different matter: one side says they've been promised unlimited, and the other wants to be fair to all customers.

Normal to have lots of RSTs in HTTP traffic

[asifyoucare (302582)]

I've written my own software to track RSTs among other things (thankyou JPCAP and TCPDUMP) and RSTs are very common in HTTP traffic. I have assumed this is because it is more efficient to tear down a TCP sessions with RST than it is with FIN/ACK, combined with the fact that web traffic tend to generate lots of TCP sessions per page.

How are you going to tell a fake RST from a real one (and no, I haven't RTFA)?

Already a decent Linux tool

[Limburgher (523006)]

yum install pcapdiff on Fedora. http://www.eff.org/testyourisp/pcapdiff/ [eff.org]

'dotted.

[Nullav (1053766)]

Or it may as well be. On the bright side, I did just learn a great lesson about the importance of download mirrors.

Re:

[morgan_greywolf (835522)]

Well, probably. I know you can do this with Wireshark, and wireshark and tcpdump both use libpcap.

Re:

[sukotto (122876)]

tcpdump 'tcp[13] & 4!=0'

Re:Cool

[Culture20 (968837)]

I always use
wget -c <URL>
to download large files. Even when your ISP is on the up and up, you'll get a RST occasionally if the remote computer sends it. Using wget to continue an almost completed download of an iso or XPSP3 is really handy.

Re:

[Jabrwock (985861)]

A good friend of mine works for Shaw Cable... He says it's just three guys (only one on at a time afaik) and when they see someone using to much bandwidth, they phone them up and tell them to settle down with the downloads.

I got one of those calls, and the guy I spoke with couldn't tell me what "grey zone" I'd wandered into, or why my unlimited account... wasn't. I asked him what I should cap my d/l rate to, so I wouldn't get these calls, and he said there wasn't a limit "per se". So I asked him why he was calling me with a vague request to stop using so much of a service he couldn't define for me. No answer.

I've since switched to Sasktel. While it's a lower max bandwidth, I don't have to share, and I don't get a phone ca

Re:

[Jabrwock (985861)]

I'm not sure when this might have been, but shaw has defined limits on their website.... It's possible the guy you spoke to was new and didn't know what the defined limits are. My friend says they don't call unless you cross over those defined limits. I guess my friend can only speak for Shaw Cable in the city he works for though.

This was a few years ago, before they set up their limits. He was just harassing me for "hogging the node", but Shaw marketing hadn't defined what the "limit" was yet. So he really had nothing to guide me with.

When I called Sasktel, I spoke to a tech, and asked him if there were any limits to how much I could download in a month. He was confused by the question, because Sasktel is DSL, so you don't share it at all. If you max out your "tube" 24/7, they don't care, because you paid for all of it. So I swit