NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: [IP] Re: a wise word from a long time network person -- Merccurynews report on Stanford hearing

At 03:55 PM 4/23/2008, Warren Kumari wrote:
>>Not so. Routers send RST packets. All the time. We've had them set up
>>to do this for 15 years.
>Um, can you back this assertion up with some evidence?

Sure. In fact, I just sent a private e-mail with some examples, so I'll just cut and paste them here.

Firstly, our dialup routers always send out RST packets on existing connections when a customer disconnects. This is for security; we don't want the next caller getting (possibly confidential) traffic destined for the prior one.

Secondly, many routers send RST packets in response to what they see as an attack. Witness the University of Colorado students who launched a SYN flood on a Comcast network and detected lots of RST packets -- only to discover that the packets were coming from their own firewall and not from Comcast!

Finally, the ability to send RST packets in response to bad behavior (or any behavior specified by the administrator, in fact) is built into Berkeley UNIX -- whose development, as you may recall, was funded by DARPA. See the manual page for ipfw, the default firewall for FreeBSD, at


One of the actions when a firewall rule is matched is:

     reset  Discard packets that match this rule, and if the packet is a TCP
             packet, try to send a TCP reset (RST) notice.  The search termi-

ipfilter (ipf), the other standard UNIX firewall, likewise has a "return-rst" action.
Linux's iptables offers "--reject-with tcp-reset". And OpenBSD's recently developed pf (packet filter) offers "block return", which sends a RST.

In short, sending back a RST packet has been around for many, many years as a standard action of a firewall. 

--Brett Glass