(If the author is reading this: bad formatting for fin: and acknumdiff: )
Once again a discussion that covers RST injection attacks fails to consider the one case I actually saw in the wild ...
My observation involved long-lived (much longer than typical for HTTP) TCP connections with low-but-nonzero traffic (there was an application-layer heartbeat). For at least some US residential IPs (some with effectively static allocation) connected to a datacenter, they would reliably get RST injected (to the client only, not the server) after being connected long enough (usually a couple hours, but not any obvious pattern).
Maybe a fun idea - run an application on both sides of a remote TCP connection that records but doesn't respond to TCP RST packets. Then see how many times you get "reset".
(If the author is reading this: bad formatting for fin: and acknumdiff: )
Once again a discussion that covers RST injection attacks fails to consider the one case I actually saw in the wild ...
My observation involved long-lived (much longer than typical for HTTP) TCP connections with low-but-nonzero traffic (there was an application-layer heartbeat). For at least some US residential IPs (some with effectively static allocation) connected to a datacenter, they would reliably get RST injected (to the client only, not the server) after being connected long enough (usually a couple hours, but not any obvious pattern).
In my very populous country, the largest ISP will inject resets if it's over IPv4 and idle for more than 10 seconds :)
These things are unfortunately rather common. This is also why I run SSH with a 5 second heartbeat duration, for example.
Is the server on OVH? This is a known "feature" of their DoS protection that cannot be turned off.
Maybe a fun idea - run an application on both sides of a remote TCP connection that records but doesn't respond to TCP RST packets. Then see how many times you get "reset".
You can just drop RST packets.
That looks like exactly what I did, but it was a pain trying to get random users to do run code as root.
Why do I find this so funny...
They've given out a bot identification signal. Now botters are going to deliberately cancel 6% of their TCP connections ;)
[flagged]
Are you thinking of Crowdstrike?
> Are you thinking of Crowdstrike?
Ha! Yes.