Re: Retransmissions while blocking TCP Stack's RST?

From: Bryan Burns (bburnsat_private)
Date: Wed Oct 30 2002 - 13:37:08 PST

Next message: Dan Kaminsky: "Re: Retransmissions while blocking TCP Stack's RST?"

Previous message: Filipe Almeida: "Re: Retransmissions while blocking TCP Stack's RST?"
In reply to: Jared Stanbrough: "Re: Retransmissions while blocking TCP Stack's RST?"
Next in thread: Dan Kaminsky: "Re: Retransmissions while blocking TCP Stack's RST?"
Next in thread: Filipe Almeida: "Re: Retransmissions while blocking TCP Stack's RST?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you're using TCP, the sequence numbers in the ACKs are going to be  
totally wrong, and just won't work.  For example:

 > SYN (seq Sc) (from the replay)
< SYN ACK (seq Ss, ack Sc) (from your stack)
 > SYN (seq Sc+1, ack Ss_old) (from the replay)
< stack-dependant freak-out

You somehow have to either make your stack's sequence number be the  
same from the replay, or have your replay ACK the correct sequence  
number.  A similar issue arises if the number of bytes your stack sends  
doesn't match the number of bytes from the replay.

-Bryan


On Wednesday, October 30, 2002, at 12:30 PM, Jared Stanbrough wrote:

> On Wed, 30 Oct 2002, Brad Arlt wrote:
>
>> On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote:
>>> Hi,
>>>
>>> I am looking for an application for *NIX, that can replay captured
>>> packets, while dropping, the TCP Stacks responses.  Let's assume I
>>> replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley
>>> replies with a RST since it was not aware a connection was to be
>>> opened.  So I am looking for some low-level retransmission
>>> application for *nix such as Network monitor for NT. (I believe it
>>> does this.)
>>
>> http://tcpreplay.sourceforge.net/
>>
>> TCP Replay resends a libpcap or snoop capture file.  As far as I know
>> it doesn't listen to a darn thing, so you are good to go.
>
> This doesn't address the issue of keeping the originating machine from
> trying to take part in the replayed TCP session. The question isn't  
> how to
> replay the data, it's how to keep the originating host from screwing  
> it up
> by tearing down the illigitimate connection.
>
> One easy way to do this would be to setup iptables to block outbound  
> TCP
> packets that have the RST flag set (of course, this would mess up  
> replayed
> data which contains RSTs..but I'm sure you can think of creative  
> solutions
> for that :)
>
> --jared
>
>>
>> You can trim the capture file however you like using the tools that
>> come with it, Snoop, or tcpdump.
>> ---------------------------------------------------------------------- 
>> -
>>    __o		Bradley Arlt			Security Team Lead
>>  _ \<_		arltat_private		University Of Calgary
>> (_)/(_) 	I should be biking right now.	Computer Science
>>
>>
>
>

Next message: Dan Kaminsky: "Re: Retransmissions while blocking TCP Stack's RST?"
Previous message: Filipe Almeida: "Re: Retransmissions while blocking TCP Stack's RST?"
In reply to: Jared Stanbrough: "Re: Retransmissions while blocking TCP Stack's RST?"
Next in thread: Dan Kaminsky: "Re: Retransmissions while blocking TCP Stack's RST?"
Next in thread: Filipe Almeida: "Re: Retransmissions while blocking TCP Stack's RST?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 13:42:01 PST