Re: RST's and ACK's and stealth scans

From: Steve Bellovin (smbat_private)
Date: Sat May 02 1998 - 15:52:15 PDT

  • Next message: Vern Paxson: "Re: RST's and ACK's and stealth scans"

    > Quick questions about TCP/IP traffic
    > 1. What does it mean when I see a Reset accompanied with an ACK?
    > That is... someone told me that if I see a packet that only has the RESET flag
    > set, this means that the connection was terminated (Or not allowed to
    > establish).
    > But, they said, If I see a packet that contains a RESET with the ACK bit set
    > then although the connection was refused, this is evidence that some service
    > was at least listening enoguh to Acknowlege.
    > 2. Can I assume that when My firewall sends RST that the packet reveals
    > nothing more than the fact that the connection was refused,whether the ACK bit
    > is set or not?
    > 3. If RST was sent and window size is 0 (ACK or no ACK) I conclude that my
    > firewall really does not want to talk... Is this a correct conclusion?
    This is far too complicated a set of questions for a quick answer
    However -- RST without ACK means "connection refused", which generally
    means that there's nothing listening on that port.
    Once a connection is set up (that is, has transitioned to ESTABLISHED
    state), all packets will carry the ACK bit.  They must also carry an
    acceptable sequence number.  These provisions both apply to RST messages,
    too.  In this case, though, a RST means that the other side has aborted
    the connection for some reason.
    The window size on an ACK packet is irrelevant.
    What flavor RST your firewall should send depends on the connection
    state; if it gets it wrong, the remote side probably won't listen.
    That's definitely the case for a bare RST on an established connection.
    For more details, see RFC 793 and/or a good text on TCP, such as
    Stevens' ``TCP/IP Illustrated, Volume I''.

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:18 PDT