DetectingForgedTCPResetPacketsNicholasWeaverICSInweaver@icsi.berkeley. - PDF document

DetectingForgedTCPResetPacketsNicholasWeaverICSInweaver@icsi.berkeley.eduRobinSommerICSI&LBNLrobin@icir.orgVernPaxsonICSIandUCBerkeleyvern@icir.orgAbstractSeveraloff-the-shelfproductsenablenetworkoperatorstoenforceusagerestrictionsbyactivelyterminatingcon-nectionswhendeemedundesirable.Whilethespectrumoftheirapplicationislarge—fromISPslimitingtheusageofP2Papplicationstothe“GreatFirewallofChina”—manyofthesesystemsimplementthesameapproachtodisruptthecommunication:theyinjectarticialTCPReset(RST)packetsintothenetwork,causingtheendpointstoshutdowncommunicationuponreceipt.Inthiswork,westudythecharacteristicsofpacketsinjectedbysuchtrafccon-troldevices.Weshowthatbyexploitingtherace-conditionsthatout-of-banddevicesinevitablyface,wenotonlycandetecttheinterferencebutoftenalsongerprintthespe-cicdeviceinuse.Wedevelopanefcientinjectiondetectoranddemonstrateitseffectivenessbyidentifyingarangeofdisruptiveactivityseenintracesfromfourdifferentsites,includingterminationofP2Pconnections,anti-spamandanti-virusmechanisms,andthendingthatChina's“GreatFirewall”hasmultiplecomponents,sometimesapparentlyoperatingwithoutcoordination.Wealsondanumberofsourcesofidiosyncraticconnectionterminationthatdonotreectthird-partytrafcdisruption,includingNATs,load-balancers,andspambots.Ingeneral,ourndingshighlightthat(i)InternettrafcfacesawiderangeofcontroldevicesusinginjectedRSTpackets,and(ii)toreliablydetectRSTinjectionwhileavoidingmisidenticationofothertypesofactivityrequiressignicantcare.1IntroductionArgumentstendtobecomeheatedwhennetworkoper-atorsrestricttheirusers'communicationbyactivelyinter-feringwithtrafc.Recently,whenComcastwasaccusedofinterruptingtheircustomers'BitTorrentconnections[11],thepublicdebateeventuallyevenledtoahigh-proleFCChearingonthelegalityoftheirpractice[13].Oneconse-quenceofsuchuproaristhatnetworkoperatorsmaydeclinetoopenlyinformcustomersaboutactivemeasurestheyde-ploy,leavinguserswithonlyspeculationaboutthecauseforconnectionsterminatingwithoutapparentreason—andsometimesusersthenwronglyaccusetheirISP[26].AdifferentformofsuchactivetrafcinterferencecomesnotfromISPsbutgovernments.Forexample,the“GreatFirewallofChina”censorsInternetcommunicationbyter-minatingconnectionsthatrelatetotransferofinformationdeemedundesirablebytheChinesegovernment[12].Facedwithuncertaintyaboutthepresenceanddegreeofactiveinterference,anaturalquestionarises:towhatdegreecanwedetectwhenanetworkactivelydisruptscommunica-tion?Inthisstudy,wepursueansweringthisquestion.Wefocusonaspecic,commonlydeployedmethodtotermi-nateanactiveconnectionondemand,namelytheinjectionofforgedTCPReset(RST)packetsintoTCPows,whichmanipulatestheinvolvedendpointsintoshuttingdowntheircommunication.Whilethismethodhasbeenwell-knownforyears,itrecentlygainedtractionwithseveralcompaniesnowofferingsuchfunctionalityinhigh-performance,off-the-shelfproducts.AcrucialobservationaboutRSTinjectorsistheirout-of-bandoperation.Theycanmodifyneithertimingnorcon-tentofanypacketssentbyend-hosts(iftheycould,theycouldcontroltrafcbysimplydroppinganyfurtherpack-ets).Therefore,suchinjectorsfaceraceconditions:be-tweenthetimewhentheyinjectRSTsuntiltheendpointsreceivesthese,theTCPconnectionstatecanchangeduetothetransmissionorreceptionofadditionallegitimatepack-ets.Thesechangescandelaytheconnectionterminationorevenrenderitineffective.Inthisworkweexploittheserace-conditionstoidentifyinstancesofinjectedRSTsviapassivemonitoring.Wede-velopasetoftestsforanumberofrelevantsituationsandcombinethemintoadetectorthatcanoperateonbothtracesandreal-timeonlivetrafc.Inaddition,wendthatmanyreal-worldinjectorsexhibitidiosyncraticpeculiaritiesinthespecicsofhowtheycrafttheRSTpackets,enablingustodevelopinjectorngerprintsthatidentifywhichspecicde-viceisdeployedonagivennetworkpath.Wehavedesignedourdetectortooperateinaconserva-tivefashion:itonlyreportsRSTsthatwithhighprobability correspondtoexternalinjection,preferringfalsenegativesoverfalsepositives.Thistrade-offiscrucialbecause,asweseeduringourevaluation,regularnetworkdevicescanalsocreateunusualsituationsthatapassiveobservercouldmis-interpretasasignofinjection.Whencarefullyexaminingourdatasets,weindeeddiscoveranomalousRSTssentbyNATs,load-balancers,PlanetLabhosts,andbuggyTCPim-plementationsofspambots.Thus,itisvaluabletonotonlydetectaRSTassuspicious,buttoalsodevelopngerprintsinanattempttoclassifyaninjectedRST'ssource.Finally,whileinthisworkwedonotaimtotakeapositionregard-ingthelegitimacyofactivetrafcinterference,wenotethatweobserveevidenceofanti-spamandvirusblockersthatalsouseRST-injectiontoblockmalicioustrafc.Westructuretheremainderofthispaperasfollows.InSection2wecoverrelatedworkonknownsourcesofin-jectedRSTpackets.Section3discussestheprinciplesofout-of-bandowblocking.Section4discussesthefree-domsinvolvedincreatingRSTpackets,bothfromtheendhostandforaninjector.Section5presentsourdetectorforanomalouspacketscommonlygeneratedbyRSTinjectors.Section6introducesthefourdatasetsweusedinoureval-uation,andSection7discussestheinjectorswewereabletondandngerprint,aswellasseveraltypesofanoma-lousRSTsnotcausedbypacketinjection.WeconcludeinSection8.2RelatedWorkAstudybyArlittandWilliamson[1]showsthatRSTsaresurprisinglycommonontheInternet.TheyexaminedayearofSYN/FIN/RSTpacketsfromtheUniversityofCalgary'sborderandfoundthatroughly15%ofallTCPowswereterminatedbyaRSTpacketafterpayloadhadalreadybeensentinatleastonedirection.TheresetratewasevenhigherforHTTPtrafc,with22%oftheowster-minatedbyaclient-sideRST,and3%byaserver-sideRST.Tounderstandthesesurprisinglyhighnumbers,theauthorsevaluateddifferentcombinationsofWebserversandclientstodeterminewhentheygenerateRSTsinsteadofnormalFINshutdowns.Amongothereffects,theydiscoveredWebserversclosingidleconnectionswithRSTpacketsaswellasbrowsersconsistentlyterminatingpersistentconnectionswithRSTs.Packetinjectionisawellknowntechniqueemployedbynetworkintrusiondetectionsystems(NIDS)toterminatemaliciousconnections.Snort's[24]spresponseandspresponse2pluginssupportRSTandICMPinjection.TheBroNIDS[19]likewisecomesawithatooltoinjectRSTpackets.Song'stcpkill[25]isastand-aloneutilityforthesamepurpose.WediscusstheoperationofthesetoolsinAppendixB.Awell-knowndeploymentofRSTinjectorsisthe“GreatFirewallofChina”,whichterminatesInternetconnectionsdeemedundesirablebytheChinesegovernment[12].Clay-tonetal.[5]observethatthe“GreatFirewall”sendsse-quencesofRSTpacketswithTCPsequencenumbersin-creasingby1460witheachpacket,1apparentlytocompen-sateforpotentialfurtherdatahavingarrivedatthedestina-tioninthemeantime,asdiscussedbelow.TheyalsoreportthattheRSTshaveIPTTLsthatdifferfromotherpacketsfromthepurportedsourceaddress.Onceahostpairhashadaconnectionterminated,the“GreatFirewall”thensendsin-dividualRSTsforeachnewlyinitiatedconnectiontomain-taintheblock.Asacounter-measure,theauthorsproposetoignoreRSTpacketswithwildlydifferentTTLs.How-ever,asdevelopedinourstudy,wedonotndthisaprac-ticalmitigationtechnique,assimilarwildlydifferentTTLsariseinnormaltrafc(seeAppendixC).Crandalletal.[8]spentconsiderableeffortmappingthe“GreatFirewall”,in-cludingdeterminingtherstpointwherelteringoccursbysendingprobeswithdifferentTTLs,anddevelopingkey-wordmapsofthedetector'ssensitivity.Independentofthedetailedfunctioningofthe“GreatFirewall”,Fallows[12]arguesthatitdoesnotneedtobetechnicallyperfecttoreachitsgoal;ratheritsufcestomakeaccesstoexternalinfor-mationenoughofnuisancetospurpeopletopreferusingresourceswithinChina'sborders.ArecentcontroversialuseofRSTinjectionisrestrict-ingpeer-to-peer(P2P)trafcaspracticedbymultipleISPs,particularlytoblockbulktransferssuchasthoseofBitTor-rent[2].ExtensivepublicitysurroundedComcast'suseofthistechnique[11],leadingtosignicantdebateandmul-tiple(somewhatadhoc)studies.Itcanprovedifculttoconductsuchinvestigationsinasoundfashion.Onestudy,sinceretracted,claimeddetectionofRSTinjectionthatinfactoccurredduetoanartifactofthelocalNATreactingtoalargenumberofdistinctows[26].Vuse,basedonsimplycountingthetotalnumberofreceivedRSTpack-etsseenbyaclient,claimedthatAT&TperformsRSTin-jectionwithoutregardtotheircontext[27];AT&Tdeniedtheseallegations[4].TheEFFhasinitiateda“TestYourISP”project[10]withthegoaltodevelopinformationandsoftwaretoolsthatallowcustomerstoexaminetheirInter-netconnectionsforactiveinterference.Sofarthetwotoolsreleasedinthiscontextarepcapdiff,whichcomparestwopackettracesofthesamecommunicationcapturedatdif-ferentlocationsfortelltaledifferences,andSwitzerland,ahigher-leveltoolthatautomatesthecomparisonprocessbyutilizingacentralserver.Inbothcases,onlyifbothsidesofaowareoperatingthetool,injectedRSTsandotherchangeswillbedetected.Dischingerandcolleaguesde-velopedaJavaappletforvolunteerstorunwhichimitates11460isacommonmaximalTCPpayload,basedon1500-byteEther-netpayloadsminus40bytesofTCP/IPheaders. BitTorrenttrafc[9].Althoughtheyusedaverydiffer-entmethod,manyoftheirresultsagreewithoursintermsofdetectingindividualISPs,includingCox,Comcast,andStarHub.AsomewhatdifferentRSTinjectionattackthanthoseweconsiderinthisstudyisblindRSTinjection.Whileitsgoalisthesame—externallyshuttingdownaconnectionusingforgedtrafc—hereattackerscannotobservetheconnec-tion'spackets.Assuch,theylacksufcientinformationtocraftin-sequenceRSTpackets,buttheycanstillcarryoutbrute-forceattacksbysendingmanyRSTswithdifferentse-quencenumbers(abettedbyguessinglikelyvaluesofsomeelds),hopingtohitthetarget'sTCPwindowwithatleastone.AsWatson[28]shows,suchanattackcanbesuccess-fulwithinafewminutesusingaDSLline.ThethreatofsuchattacksdisruptingInternetroutingleadtothedevelop-mentoftheTCPMD5signatureoption[14],and[21]pro-posesrequiringRSTstoexactlymatchthecurrentsequencepoint.Out-of-BandFlowBlockingInthissectionwesummarizeapproachestoblockcom-municationdeemedundesirable.Weassumeuseofatraf-cmonitorthatinspectsTCPowsforviolationsofanet-work'spolicy;itinstructsa(generally)independentcon-nectionterminatortostopthoseidentied.Suchpolicyde-cisionscanforexamplebetakenbasedonsecuritypolicy(e.g.,byanIDS),accessrestrictions(e.g.,China's“GreatFirewall”)orfortrafcmanagementpurposes(e.g.,Com-cast'sBitTorrentpolicy).Themaindifferenceofsuchamonitor/terminatorsetupcomparedtoatraditionalrewallisthattypicallyallowsareinitiallyallowedthrough(“de-faultallow”),withpotentialblockingdecisionstakenonlylaterifaconnectionisfoundtoviolatepolicy.Devicestointerruptcommunicationcanoperateeitherinlineorout-of-band.Forinlinedevices,blockingundesir-ableconnectionsiseasy:oncethedropdecisionismade,thedevicesimplyceasestoforward(i.e.,drops)allsubse-quentpacketsassociatedwiththeows.However,inlineoperationalsointroducesnewpointsoffailureandcaneas-ilybecomeaperformancebottleneck.Consequently,manyoperatorspreferout-of-banddevicesoperatingonacopyofthetrafcstream(e.g.,receivedviaanopticalsplitter),whichdoesnotimpactthenetwork'sprincipleoperationwhenstressedoruponfailure.Thismaybetrueevenwhendevicessupportinlineoperation,suchastheSandvinetoolusedbyComcast[6].Sinceout-of-pathdevicescannotdirectlyblockundesir-abletrafc,theymustresorttoindirectmechanismstoter-minateows,ofwhichseveralexist:(i)instructanexist-ingin-pathdevice,suchasrouter,toblocktheow(ACLinjection);(ii)insertbogusTCPdatapacketstodesynchro-nizetheendpoints'TCPstacks(thiscanhoweverleadto“storms”ofpacketsbetweentheendpointsthatconsumeconsiderablenetworkresources[15]);(iii)injectforgedTCPFINpacketsintotheow,oneforeachdirection;and(iv)injectingforgedRSTpacketsinsteadofFINs,whichhastheadvantageofrequiringonlyoneendpointtoacceptapacket,andrunslessriskofdesynchronizationstorms.Inthisstudy,wefocusonthelastofthese,injectionofforgedRSTpackets,amethodcommonlyusedtoday(e.g.,itisdeployedbythe“GreatFirewall”aswellasbyCom-cast'sP2Pdisrupter).Morebroadly,however,theprinciplesunderlyingourtechniques—inparticular,theinsightthatin-jectionbasedonpassivemonitoringwillfaceracecondi-tionsduetodelaysinthepacketcreationprocess—shouldapplytootherformsofinjection,includingTCPFINpack-etsandspoofedDNSreplies.4PropertiesofRSTPacketsWenowexplorehowbenign,end-hostinitiatedRSTsshouldappearversushowinjectorscancrafttheirpack-ets.(Notsurprisingly,wendend-hostsdonotalwaysbe-havelikethey“should”,however,perSection7.2.)Accord-ingtoRFC793[20],anend-hostshouldsentaTCPRSTpacketwheniteitheraborts(prematurelyterminates)anex-istingconnection,orwhenitreceivesaTCPpacket(otherthananinitialSYNoraRST)thatdoesnotcorrespondtoanactiveconnection,whichincludesconnectionsalreadyaborted.Onceanend-hosthassentaRSTforaconnection,itshouldnotsendfurtherdatapackets.ItcanhoweversendmoreRSTsinresponsetocontinuedtrafcfromtheothersideoftheconnection.2ThecrucialeldinaRSTisitssequencenumber,whichmustbechosencorrectlyforthepackettobeacceptedbythedestination.PertheRFC,whenabortingaconnectionthesendershouldsendanin-sequenceRST,i.e.,setthese-quencenumbertothenextavailableoctetinsequencespaceifterminatinganactiveconnection.Ifthehostisrespondingtoapacketreceivedforaninactiveoralreadyclosedcon-nection,theRST'ssequencenumbershouldreecttheACKeldintheelicitingpacket(orzero,ifACKwasnotset).Thus,therstRSTpacketsentshouldnothaveasequencenumberlowerthanapreviousdatapacket—althoughsubse-quentRSTpackets,respondingtoACKsfordatasentearlierinthesequencespace,mayusealowersequencenumber.TheRFChoweveralsospeciesthatreceiversshouldtreatarrivingRSTsliberally:anyin-windowsequencenum-berisconsideredacceptablebecausedatapacketsprecedingtheRSTmayhavebeenlost.YetnotallTCPstacksfollow2ThisisanotherreasonwhyTCPRSTs,ratherthanFINs,arepreferableforterminatingconnections.WithaFIN,ahostmayacceptaFINbutstillsenddatainahalf-openstate,whileahostthatacceptsaRSTwillneitheracceptnorsendsubsequentdataonthatconnection. thisadvice.SomeareverylaxandacceptRSTsoutsideofthewindow;othersarestrictandrequirethesequencenumbertobeexactlyin-sequence,ignoringothervalueswithinthewindow(whichpreventsblindRSTinjectionat-tacks[21]).Figure4of[23]summarizesthebehaviorofnumeroussystems.Aninjectormightattempttoexploitthestandard'sad-vicebysendingRSTswithmultiplesequencenumbers,withtheadditionalsequencenumbersdeliberatelypickedhigherthanthecurrentsequencepointinordertocountertherace-conditionoffurtherdatapacketsbeingalreadyinight(seeSection5).Wedonotexpecttoseesuchbe-haviorfrombenignend-hosts,asthiswouldrequiretheendhostsendingRSTsthatdon'tcorrespondtoanydatapacketssentorreceived.OthereldsoftheIPandTCPheaderarelesscrucialforaRSTpacket,andaninjectorhasthereforeconsiderablefreedominchoosingthem.Iftheirvalueshoweverdivertfromcharacteristicsexhibitedbythepurportedendpoint,apossibilityforngerprintingordetectionarises.Foursignicantheadereldsnotcheckedforcorrect-nesswhenreceivingaRSTpacketareotherTCPags,TCPACKnumber,IPIDandTTL.Wewouldhoweverexpectanend-systemtosettheseinaconsistentfashion.Accordingtoouranalysis,commonchoicesfortheACKnumberarezero,thecurrentsequencepoint,andanACKnumbercor-rectlyacknowledgingreceiveddata.TheIPIDisoftenzero,orincrementedinconsistentstepsforsubsequentpackets.WemightalsoexpectthattheTTLshouldnotvarysigni-cantlyacrosspacketsfromthesamesource.Forallthreeoftheseelds,aninjectorcaninprinciplepickarbitraryvaluesforitsforgedRSTs.Lookingforin-consistenciesthuswouldappeartoofferameanstospotinjectorsthatdonottrytoevadedetection.However,aswereportinAppendixC,bothIPIDandTTLarehighlyvolatileevenfornormalRSTtrafc.Thus,theyarenotsuitablebythemselvesfordetectinginjectedRSTs,butdoproveusefulinconstructingngerprintsforindividualRSTinjectors.Anotherfeaturetolookatispayload.WhileRSTpack-etscancarrydatapayloads(fordiagnosticmessages—notpartoftheregularbytestream),mostcommonlytheydonot.TheforgedRSTswehaveobservedareusuallyalsoempty,andthereforethepresenceofpayloaddoesnotprovideasuitablefeaturefordetection.AsweshowinSection7.1.7,therearehoweversourcesthatinsertreadablemessagesintoRSTpackets.Finally,thetimingofRSTpacketsisimportanttocon-sideraswell.ThegapbetweenaRSTandthepacketpre-cedingitcanvarywidelyforend-hostgeneratedRSTs.Forexample,Webbrowsersoftenabortconnectionswithinmil-liseconds,whileRSTstriggeredbystatetimeoutsarepre-cededbyasubstantialintervalofnon-activity.Aninjectordoesnothavethisfreedom:thelongerittakesittoinjecttheRST,thehigherthelikelihoodthatfurtherpacketsaretransmittedbetweentheendpoints,renderingthetermina-tionineffective.Therefore,inourinjectiondetectorwefo-cusonRSTsoccurringinshortsuccessiontotheprecedingpackets.5DetectionToolboxWenowdevelopasetofdetectorsforabnormalsitua-tionsthatactive,out-of-bandRSTinjectioncancause.AsourdiscussioninSection4shows,duetothelargedegreeoffreedomaninjectorhaswhenbuildingaRSTpacket,apassiveobservercannotalwaysreliablydifferentiatebe-tweeninjectedRSTsandnormalend-host/networkbehav-ior.Therefore,whenbuildingourtoolboxoftests,wedonotstriveforcomprehensivecoverageofallthewaysinwhichaninjectedRSTpacketcanshowupatourmoni-toringpoint.Weratherpickcasesinwhichinjectioncausesartifactssufcientlydistinctfromnormalend-hosttrafctowarrantfurtherinspection.AswelatershowinSection7.1,oursetofdetectorsisindeedabletoidentifyawidespec-trumofactiveinterference.EachofourdetectorstargetsaspecicsituationthatislikelytoindicatethepresenceofoneormoreinjectedRSTpackets.WeassumethatinjectorswillsendatleastoneRSTtoeachendpointoftheconnectiontobeterminated,whichisnearlyallinjectorsknowntouswork(theexcep-tionistcpkill[25]).Inthefollowingwedescribethede-tectorsinformallyandrefertoAppendixAfortheirprecisedenitions.Westartwithtwodetectors,RSTSEQDATAandDATASEQRST,whichtargettworaceconditionsthatanyout-of-pathRSTinjectorinevitablyfaces:RSTSEQDATA:Oneraceconditionoccursbetweenthetimewhenaninjectorseesadatapacketthattrig-gersitsdecisiontoterminatetheconnection,andthetimewhentheinjectorsendsoutthefakeRSTpacket.Duringthisinterval,furtherpacketsfromthesendermaypasstheinjector'sobservationpoint.Ifthishap-penswewillobservethattheRSTpacketis“outofse-quence”,withthereceiverobservingasequencenum-berlessthantheprecedingdatapacketwouldsuggest,aconditionwedetectasRSTSEQDATA.Mostre-ceiverswilllikewiseconsidertheRSTtobeout-of-sequenceandthereforeignoreit.Asdatapacketsareoftensentquicklyback-to-back,weexpectthissitua-tiontooccurfrequentlywhenaninjectorisinuse.Intheabsenceofinjection,however,itshouldnotoccurduringnormalTCPoperation,otherthaninquitepe-culiarsituations.DATASEQRST:AnotherraceconditionoccurswhenatthetimetheRSTisinjected,furtherpacketsarenow alreadyinight,orwillbesentshortlylater,becausetheinjectorcannotstopthesenderquicklyenough.Inthesecases,thereceiverwillseefurtherdatapacketsfromthesenderafterithasalreadyreceivedtheRST.OurdetectorDATASEQRSTtriggersforsuchsitua-tionsbylookingfordatapacketshavingalargerse-quencenumberthanindicatedbyapreviouslyarrivingRSTpacket.Again,thissituationshouldingeneralnotoccurduringnormalend-hostcommunication.Theseraceconditionsdonothavetooccur.Inparticular,RSTSEQDATAraceconditionsdependuponthereactiontimeoftheinjector—whetheritcanmakeadecisionandgenerateaRSTpacketbeforethenextpacketpassestheinjector.Thus,theprevalenceofthisraceconditionmaydependontheinjector'simplementationandcurrentload.TheDATASEQRSTracedependsmoreonnetworktopol-ogy.Iftheinjectorisfarfromtheend-host,itismorelikelythattherewillbeasubsequentin-ightpacket.Ourthirddetectortriggerswhenitseesacommoncounter-measuremanyinjectorstake:sendingmultipleRSTsinsteadofjustone.Withoutthiscountermeasure,aconformingTCPstackwouldignoretheRSTpacketwhenaRSTSEQDATAraceoccurs.RSTSEQCHANGE:ByquicklysendingmultipleRSTswithincreasingsequencenumbers,aninjectorcanincreasethelikelihoodofgettingatleastoneofthemthrough.Ithoweverfacesthedilemmaofhav-ingtopickahighersequencenumberwithoutknowingwhatthesourcewillsent,andthereforemightguessavaluehigherthanthemaximumsequencenumberthereceiverwillhaveseenatthetimetheRSTarrives.TheRSTSEQCHANGEdetectorleveragesthisobser-vationbylookingforback-to-packpairsofRSTsinwhichthesecondRSThasasequencenumberhigherthantherst,andthatexceedsthecurrentmaximumsequencenumber.AstandardcompliantTCPstackshouldneversendsuchapacketbecauseitsRSTsshouldeitherbeinsequencewiththedata(soatthemaximumsequencenumber)orinresponsetopacketsfromtheotherside(whichshouldhaveanACKeldlessthanthemaximumsequencenumbersent).TheRSTSEQCHANGEdetectordoesnotdependonaracecondition.Rather,itdetectsanaturalconsequenceofconstructingarobustRSTinjector.Thus,ourdetectorisnotguaranteedtodetectinjectorsthatarenotrobusttotheRSTSEQDATAracecondition,butwilldetectinjec-torsthatsendmultiplepacketstoavoidtheracecondition.Finally,weaddthreemoredetectorstoourtoolboxwhich,eventhoughtheyarenotclearindicatorsforthepresenceofanactiveinjector,triggerforRSTtrafcthatissufcientlyoddtowarrantfurtherinspection:RSTACKCHANGE:DetectsRSTswithseeminglynonsensicalACKnumbers.Specically,thedetectorlooksforpairsofRSTsinwhichthesecondRST'sACKnumberdiffersfromitspredecessoranddoesnotliewithintherangeofsequencenumbersseenfromthedatasender.Althoughnotanecessaryfeatureforin-jectedRSTs,wehaveobservedthatsomeinjectorsin-correctlyincrementtheACKratherthantheSEQeldwhensendingmultiplepackets.SYNRST:DetectsinitialSYNsimmediatelyfollowedbyaRSTinthesamedirection.Whilethisbehaviorcanoccurbenignlyforsomeapplications(e.g.,Webbrowsers),itcanbeanindicatorofactiveinterferenceforothers.SYNACKRST:DetectsinitialSYN/ACKsimmedi-atelyfollowedbyaRSTinthesamedirectionwithnointerveningpacket.SimilartoSYNRST,thiscanbeanindicatorofRSTinjection.Wehoweveralsoseeitwithserversmakingadecisiontoacceptaconnec-tiononlyaftertheirTCPstackhasalreadyacknowl-edgedtheinitialSYN(e.g.,becauseload-monitoringndstheserver'sloadtoohightoacceptnewrequests,orduetoconsultinganSMTPblacklist).Finally,forourdetectorsweneedtoselectvaluesfortwoparameters(T1andT2inAppendixA).Therstofthesegovernsthemaximumdelayaninjectorcanexhibitinissuingitsresponsetotrafc,forwhichwechose2secassufcientforaveryslowinjectorevenonaveryslowlink.RSTswithlargerdelayslikelyreectstatemanage-mentorsender-sidebugsratherthaninjection.Thesec-ondparameterboundsthedelayforterminationofcon-nectionsduringtheestablishmentphase(fortheSYNRSTandSYNACKRSTdetectors).Herewechose0.1sec,be-causesuchdecisionsshouldbequickforaninjectortomake(sinceonlyinspectionofheaderinformationcancomeintoplay).WeimplementourdetectorinClick[16],aimingforhighperformancewhenrunningonlargetrafcstreamssuchascampusborders.Tokeepmemorymanagementefcientandsimple,weuseaxedcachetotrackactiveows,ratherthandynamicallyallocatedtables.Weprovisionthecachewith256Kentriesand32-wayassociativitywithLRUre-placement.Badevictionsfromthiscacheleadtomissedalertsratherthanfalsepositives;wecheckedforsuchevic-tionswhenrunningonparticularlylargeUCBtracesanddidnotrecordanythatwouldhaveresultedinlossofaccu-racy.Toenablefurtheranalysis,wecouplethedetectortoa500K-packetbuffertoextractcontextsurroundingpossibledetections.Weinsertalldetectionsintoadatabase,includingpacketheadersforthealertingpacket,upto200priorand100sub- sequentpackets,andpayloadsofanyRSTpackets.Thisprovidesuswithsignicantcontextaroundthealerttode-velopandevaluatengerprintsofinjectors.Wealsostoreinthedatabasethefullyqualiedreverse-lookup(PTR)fortheIPaddresses,excludingtheactualhostname(thusfoo.bar.baz.comisrecordedasbar.baz.com),aswellasthenation,state,andcitylookupresultsfromtheGeoLiteCityGeoIPdatabase[17].Toenableotherstorunourdetector,itoptionallycananonymizetheIPaddressesandhostnames.6DatasetsWeusedthedatasetsfromfourinstitutionsforourstudy:InternationalComputerScienceInstitute:Weranapro-totypeofourdetectoratICSIfromJanuary23rd,2008untilMay1st,runningonallTCPtrafcotherthanSSH.Thisde-tectorwasusedtoguidea“hosts-of-interest”selection,cap-turingalltrafcbetweenanytwohostsgeneratinganalertforlateranalysis.Duringthemeasurementperiodthedetec-torwasnotstatic,butreceivedseveralimprovements.Itini-tiallyonlydetectedDATASEQRSTandRSTSEQDATAanomalies,butlaterrantheentirecomplementofalerts.Thus,wecannotusethisdatatogaugetheoverallpresenceofinjectedpackets,butbecauseithasextensivecontextitallowsdetailedinvestigationofindividualactivity.UCBerkeley:WecapturedtheUCBtraceusinganexper-imentalintrusiondetectionclusterthatreceivestrafcfromthecampus'twoborderrouters.Astheroutersaggregatetrafcontoasingle1GbpsSPANport,thisenvironmentcansaturateduringtrafcpeaks.Wecaptureddatarepre-senting40%ofthetotalbordertrafc,exceptfordatain-volvingUCB'sPlanetLabnodes.Themonitoringsetupre-ceivesasubselectionoftheowsfromtheSPANport;inmostcases,bothhalvesofeachow,butinsomecasesonlyasingleside.Theselatterdonothinderouranalysisex-ceptthatwesuppresstheRSTACKCHANGEalert,andtheRSTSEQCHANGEalertdoesnotchecktheACKvalue.Thistraceranfor19hoursstartingat2PM,April21,2008,capturing5.2Gpktsand73MTCPows.Excludingbackscatterandpartiallycreatedows,thetracecontains30.2MTCPows.Inevaluatingthistrace,wealsoveriedthatourcachingwasnotcausingproblematicevictions:weexperiencednoevictionsfromourdatastructure'scachesfordatalessthan4secold.Thus,ourcaching-basedstructuredidnotcauseustomissalerts.However,thelimitedbufferof500Kpack-etsdidcauseustolosesignicantcontextforthealerts.Atworst,thebufferonlyheld7secofassociatedtrafc,limit-ingthecontextaroundeachalertforfurtheranalysis.ColumbiaUniversity:TheColumbiatraceconsistsofadaycapturedattheborderoftheinstitute'sComputerSci-enceDepartment,excludingPlanetLabservers.Wedonothavepacketcountsforthistrace.GeorgeMasonUniversity:TheGMUtraceconsistsof5hroftrafccapturedatthecampusborder,totalingapprox-imately70GB.Thistracewasprocessedliveratherthanofine.Foralltraces,weexcludedSYNRSTalertsforports80,113,and443,andSYNACKRSTalertsforports25,80,and443,inbothcasesduetotherebeingalargenumberofbenigncausesforthealerts.(Forexample,Facebook'sHTTPserversgeneratedalargenumberofSYNACKRSTalertsintheUCBdata.)OnesourceofSYNRSTalertsonport80and443comesfromusershittingthe“Stop”but-tonontheirwebbrowser.Alertsonport113arisefromhowsomemailserverscontactthe“identication”service.SYNACKRSTalertsonport25canbeduetomailserveraborts,wherethemailserveracceptsaconnectionandthenchecksablacklist,whileport80and443alertsappearduetohigh-loadissues,whereaWebserverwillinitiallyacceptaconnectionandthenrejectitduetoitsloadpolicies.Onceallalerts,context,anddataareloadedintothedatabase,wewereabletocorrelatebetweenmultiplealertsanddevelopngerprintsofindividualRSTinjectorsaswellasbenignsources.Wedevelopedthesengerprintsthroughmanualexamination,lookingforcommonpatternspresentinthealertsfromthesameanddifferentIPaddresses.Whenwecouldngerprintaninjectororanon-injectedsource,weclassieditaseitheratruedetectionorasnon-injected(suchasduetoamisbehavingin-pathdeviceoramisconguredTCPstack).Inaddition,asdiscussedlater,wealsondbehaviorthatwedeemaslikelyoneortheother,but,becausewecouldnotdetermineareliablen-gerprintforit,wecannotpreciselyidentify.7ResultsWenowpresenttheresultsofourdetectorrunningonthedatasetsdiscussedintheprevioussection.Westartwiththekindsofinjectorswewereabletoidentifybytheircharac-teristicngerprints,followedbyadiscussionofunexpectedRSTsweobservedthatdonotappearduetoout-of-bandinjection.Table1summarizesthengerprintswedeter-minedfordifferentRSTinjectors,andTable2summarizesthealertsforthesereportedbythedetector.CountsinTable2reectdistinctIPaddresses,notdis-tinctows.Anygivenaddressmayhavemultipleowsthatgenerateanalert,assystemsmayretryconnections. IdentiedSourceSignatureIdentiedInjectorSandvineMultipacket:FirstPacketIPID+=4,secondpacketSEQ+12503,IPID+=5BezeqintMultipacket:Constantsequence,RSTACKCHANGE,IPID=16448YournetSYNRST:OnlyonSMTP,TTLusually+3to+5,unrelatedIPIDVictoriaMultipacket:SequenceIncrement1500,IPID=305,TTL+=38IPID256Singlepacket:UsuallylessTTL,IPID=256IPID64Multipacket:IPID=64,oftensequenceincrementof1460IPID-26Multipacket:FirstIPID-=26,oftensequenceincrementof1460SEQ1460Multipacket:Sequenceincrementalways1460RAESinglepacket:SetsRST,ACKandECNnoncesum(controlbit8)GoAwaySinglepacket:PayloadonRSTof“GoAway,We'reNotHome”OptonlineMultipacket:Nongerprint,allactivityfromasingleISPIdentiedNon-InjectedSourceSYN/RST128SYNRSTwithRSTTTL+=128SYN/RST65259SYNRSTwithRSTIPID=652590-SeqRSTResetwithSEQ=0IPID0IPID=0,multipleRSTs,limitedrangeIPID0SoloIPID=0,spuriousRST(oftenignored)StaleRSTRSTbelongingtoapreviousconnection(portreuse)SpambotSRSpamsourcesendingpayloadpacketswithSYNandRSTagsDNSSYNRSTNormalDNSserversabortingconnectionsatinitiationTable1.FeaturesforbothidentiedRSTinjectorsandidentiednon­injectedsources.7.1IdentiedRSTInjectorsBycorrelatingthecharacteristicsofRSTsacrossourdatasets,weidentiedandngerprintedanumberofin-jectorsthatwebelieveourdetectorconsistentlyidenties.WepresenttheseinSection7.1.1–7.1.6andthendiscussinSection7.1.7additionalcasesthatappearlikelytoreectin-jection,yetforwhichwelacksufcientevidencetoconrmthatsuspicion.7.1.1TheSandvineRSTInjectorComcasthaspubliclystatedthattheyuseRSTinjectiontomanageP2Ptrafc[11],andithasbeenreportedthatthesedeviceswerepurchasedfromSandvine[22,6].Weexam-inedallowsreportedbyourdetectorinvolvingaComcasthost(asidentiedviareverseDNSlookups).Acrossthefoursites,90%(174of193)ofthealertingsourceshaveatleastonealertingowwithaback-to-backpairofRSTsforwhichthesecondhasasequencenumber12503higherthantherstandanIPIDincrementedby1.Additionally,in164casesatleastoneofthealertingowshadtheIPIDoftherstRSTcorrespondingtothatofthepreviouslyseenpacketincrementedby4.GiventheconsistencyoftheseRSTs,weconsiderthesefeaturestobeangerprintoftheSandvineinjector.IntheICSItraceweobserve106distinctComcastIPaddresses,30atUCB,36atColumbia,and2atGMU(toprowofTa-ble2).TheSandvineCTOsubsequentlyindicatedtousthattheparticularsequencenumberincrementof12503representsaknownbugintheirtool,andthattheintendedincrementwasfarsmaller[3].IncrementingtheIPIDby4doesnothaveanyfundamentalreasons,sincetheonlynetworkmecha-nismsensitivetoIPID(fragmentation)shouldnotcomeintoplay.IfthegoalistoavoidrepeatingapreviousIPID,se-lectingavalueatrandomwouldworkjustaswell,orusingalargerincrement.Comcast'sUseofSandvine:WelookedcloseratCom-cast'susageofRSTinjectiontoverifythecompany'spublicstatementsaboutitsapplicationoftrafcmanagement.AtICSI,weconrmedthatRSTsreportedforComcasttrafcindeedcorrespondtotheusageofP2Psoftware.AlmostalloftheComcastalertscamein4bursts:10onFebruary9th,23onFebruary18th,39betweenMarch8thand10th,and26betweenApril22ndand24th.Twoburstsmatchedwithreportedinstancesofexcessivebandwidthusagebylo-calusersrunningP2Psoftware,andweveriedthattheseremotehostswerecommunicatingwiththeoffendinglocalsystems.Oneofthesoloalertswasalsomanuallycorre-latedwithauserwhoforgottoturnoffhisBitTorrenttrans-ferwhenenteringICSI'snetwork.ThesealertsallreectedhighTCPports(�1050),whichtswithmanyformsofP2Psoftware. IdentiedAlertSourceICSIUCBColumbiaGMUIdentiedForgedRSTsSandvineComcast10630362SandvineCox3526230SandvineKorea15040SandvineOther0101BezeqintBezeqInt.25020Yournetyournet.ne.jp29000VictoriaUVic.ca1000IPID256Korea990160IPID256Other0500IPID64China13600IPID-26China35100SEQ1460China21531RAEChina2294,16280TotalIdentied275450644PossiblyForgedRSTsGoAwayVarious3500OptonlineOptimumOnline12000ExactMultipacketVarious71120Approx.MultipacketVarious2220TotalIdentied2534,180120IdentiedNon-InjectedRSTsSYN/RST128Various983620SYN/RST65259Various92000-SeqResetVarious484661IPID0Various1735190IPID0SoloVarious36149170StaleRSTVarious367231SpambotSRVarious11100DNSSYN/RSTVarious21400TotalIdentied257355472LikelyNon-InjectedRSTsWebServerVarious1713410SMTPSYNRSTVarious615400UnknownSYNRSTVarious38172100UnknownSYNACKRSTVarious5321140UnknownRSTACKCHANGEVarious7497325ConfusedMultipacketVarious183671HansonHansonInfosystems1000TotalIdentied214814646TotalUnknowns210588288TotalSources1,2096,38721520Table2.NumberofalertingsourceIPaddressesandtheirclassicationsineachtrace. 110102103104105106110102103104105106BytesToComcastBytesFromComcastTrafcBlockedBySandvinebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb110102103104105106110102103104105106BytesToComcastBytesFromComcastConnectionsClosedNormallybbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbFigure1.Bytestransferredandreceivedto/fromComcasthostscommunicatingwithICSI.TheleftplotshowssizesforconnectionsterminatedbySandvine­injectedRSTpackets,withComcasthostsidentiedbasedonhostnames.Forcomparison,therightplotshowssizesforallconnectionsbe­tweenthesameICSIhostsandComcasthoststhatwereinsteadclosedwithanormalFINhandshake;here,weidentiedComcasthostsbasedonWHOISdataforP2Ptrafc.ComcasthasstatedthattheirP2Ptrafcmanagementtargetsonlyuploads,i.e.,Comcastuserssendingsigni-cantvolumestoothers[7].Toverifythis,weestimatedthedatatransferredbytheaffectedowsineachdirec-tionbeforetheywereterminated.Figure1showsthatter-minatedconnectionsaccordedwithComcast'sstatement—disruptionmostlyoccurredonuploadsfromComcasthosts,anddidnotoccuronowswheretheComcasthostreceivedsubstantiallymoredatathanitsent.(Thesecondplotshowsthatthispatternisnotsimplyanartifactofregularcommu-nicationpatternswithComcasthosts.)However,wealsoseethat7%oftheaffectedowsdidnottransferasigni-cantvolumeofdataineitherdirectionbeforebeingblockedbyaninjectedRST,suggestingthattrafcuploadisnottheonlydiscriminatorinuse.AccordingtoSandvine,theirsoftwaresupportsdirectrecognitionthataclientisactingasaBitTorrentseedbyparsingBitTorrentmessages[3].OtherUsersofSandvine:WehaveobservedtwootherISPsusingtheSandvineinjector:CoxCommunications,andaKoreanISP.TheformerconrmsareportbyTopol-skiofCoxdisruptingP2Ptrafc[18],andwehaveiden-tiedthetoolinuseasthesameasdeployedbyComcast.WehavenotidentiedtheKoreanISP,butthengerprintisclear.Wealsofoundonealertingsourceineachoftwoothertraces,bothgeolocatingtotheUSA,butwithoutresolvablehostnames.7.1.2TheBezeqIntInjectorAnotherinjectorconsistentlyappearsintrafcinvolvinghostsfromBezeqInternational,anISPbelongingtothepri-maryIsraeliphonecompany.LikewithComcasthosts,wecouldconrmthesecasesasreectingP2PusageatICSI.Again,thisisamultiple-packetinjector.However,ratherthanchangingthesequencenumber,forunknownreasonsitincrementstheACKnumber(basedonthereceivedpacketwindowsize,andwithoutsettingtheACKag).Italsoal-waysusesIPID16448andadifferingTTL.Thesefeaturesappearduetoeithereaseofimplementationorbugs.ThisinjectoroperatesmoreaggressivelythanComcast's.Outof30owsblockedatICSI,onlytwomanagedtoex-changemorethanafewhundredbytesofdata.Forbothoftheseows,thedatawasalmostexclusivelysentfromICSItotheBezeqInternationalhost.7.1.3TheIPID256InjectorAnotherinjectionsourcewefoundisthe“IPID256”dis-ruptor,aninjectorthatusesaconstantIPIDof256.Weobservethisinjectorprimarilyinhoststhatgeo-locatetoKorea,alongwithsomeotherAsiancountries.UseofthisinjectorappearsunrelatedtoKoreanuseoftheSandvineinjector.Again,thisdisruptorappearstotargetP2Ptrafc. 7.1.4TheYournetInjectorAtICSIweobserved29addressesthatgeneratedSYNRSTalerts,allfromasingleJapaneseISP,yournet.ne.jp.EachalertcorrespondstoSMTPtrafcincomingtoICSI,representing30%ofallSMTPclientsthatexhibitonlySYNRSTalerts.(ThereisalsooneRSTSEQCHANGEalert.)InthiscaseweobservetheTTLoftheRSTpacketasusually5higher,andtheIPIDappearstohavenorelationshipwiththedataIPID.Thus,itappearsthatyournet.ne.jpactivelydisruptsemaildeliveryat-tempts,presumablyinanattempttocontrolspamoriginatedbybots.7.1.5TheVictoriaInjectorOnepeculiarhostgenerated96alertsinICSItracesdur-inga5-dayperiodinApril.Fromthetrafccontents,thishostappearstobeamailserverthatrepeatedlyattemptstodelivera“mailundeliverable”messagetriggeredbytheW32/MyDoom-Omailvirus.Theserverneversuccess-fullytransferredthemessage,witheachattemptsufferinginterruptionmid-transferbyasequenceof10RSTpack-ets.TheseRSTsalwayshaveIPID305andaTTLthatis38higherthanthedatapacket,andwithsequencenumbersincreasingby1500perRST.Wespeculatethistrafcreectsanin-network“virusscanner”thatheuristically(mis-)recognizesthebouncemessageasmalicious.Weattemptedtocontactpostmasterandsecurityatthissite,buthavenotyetreceivedaresponse.7.1.6TheChineseInjectorsWeobservefourdistinctRSTinjectorsthatappearonlyintrafcwithChinesehosts.The“IPID64”injectorusesaconstantIPIDvalueof64,andthe“IPID-26”injectoranIPIDvalue26lessthantheprecedingdatapacket.The“RAE”injectorsetstheRSTag,theACKag,andbit8oftheTCPags(ECNnoncesum).The“SEQ1460”in-jectorisamultipacketinjectorthatincrementsthesequencenumberby1460regardlessofthepreviouspacket'ssizeorapparentMTU;setstheACKagontheRSTpacket;andappearstochooseanarbitraryIPIDandTTL.Alloftheseinjectorsdisruptavarietyoftrafc,includ-ingemail,Web,andP2P.TheRAEinjectorisbyfarthemostcommon,andapartfromitsstrangeuseoftheECNnoncesumagishardtongerprint.Itisasinglepacketinjector,soitdoesnotgenerateclearRSTSEQCHANGEalerts.Itoften,butnotalways,takesitsIPIDfromtheprevi-ouspacket.Theinjector'saggressivenesstriggersSYNRSTandSYNACKRSTalertsaswellasDATASEQRSTandRSTSEQDATAalerts.SometimesmultipleChineseinjectorsoperatesimulta-neously.Forexample,weobservedanSMTPclientcom-municatingwiththeICSImailserverthatexhibitspacketsoriginatingfromboththeSEQ1460andIPID64injectors,whileawebservervisitedfromColumbiamanifeststheIPID64injector,likelytheSEQ1460injector(thoughanimperfectmatch),aRSTseeminglygeneratedbytheendhostandaRSTapparentlygeneratedbytheIPID-26in-jectorwhoseIPIDsuggeststhatitwasatleastpartiallyre-spondingtothepacketinjectedbythe1460injector!Theonlyotherapparentexplanationisthatourngerprintsareoverlynarrow,i.e.,wehaveassignedtwodistinctnger-printstothesamedevice.Ofall298ICSIhostsclassiedasdisruptedbyoneormoreoftheChineseinjectors,102hostscontainthenger-printsoftwoormoreinjectors.Ingeneral,theRAEinjec-torappearsindependentoftheotherthree(onlytwosourcesoverlap),buttheotherthreeinjectorsappeartotargetsimi-lar,andsometimesthesame,ows.7.1.7LikelyRSTInjectorsOneinterestingtypeofsourcesendsRSTswithapayloadof“GoAway,we'renothome”.TheRSTsequencenumbers,althoughchangingfrompackettopacket,neverexceedthemaximum-sentsequence,sowebelievethesourceiseitherstatefulorusesincomingACKstogeneratethesequencenumbers;thus,wecanonlydetectitwhenaRSTSEQDATAorDATASEQRSTraceconditionoccurs.WesawsuchsourcesfromSBC/PacicBell(AT&T)aswellasfromtwoMexicanISPs(prod-infinitum.com.mxandtelnor.net).AllalertscorrelatewithP2Pactivity.AsthesearenotuniquetojustoneISP,andaretoofewtofullyclassify,wesuspectthetrafccouldbegeneratedbyanon-ISPsource—possiblyend-systemsoftware.ItappearsthatOptimumOnline,adivisionofCablevi-sion,terminatesP2Powsaswell.12sourcesatICSIfromthisdomaingenerateRSTSEQCHANGEalerts,whichap-pearduetoamulti-packetinjector.Theinjectorusuallyuseseitherthelastpacket'sTCPpayloadsizeasthesequencenumberincrementortwicethisvalue.Wewerenotabletogenerateamoreprecisengerprint,andaswedonotseeanyevidenceofthisinjectorintheother,morerecenttraces,weassumethepracticemayhavebeendiscontinued.Thus,weclassifytheseonlyasaprobableinjectorratherthanaconrmedsource.FinallythereisagroupofsystemsthatexhibitRSTSEQCHANGEalerts,eitherusinganexactintervalfromthepreviouspacketoraslightlydifferentinterval.Wehavebeenunabletoclassifythesefurther,althoughsomecorrespondtotheStarHubnetworkpreviouslyreportedasblockingP2PbyDischingeret.al[9]. 7.2ApparentlyLegitimatebutUnexpectedRSTsOurdetectoridentiesanomalousRSTs,yetnotallofthemareduetoinjectors.Wecross-checkedthealertsus-ingseveralstrategiesinordertoassessthoseduetosourcesotherthaninjection,includinglookingforRSTssentbylocalhosts(forwhichwecouldobtaingroundtruth)andforexternalhostsknowntonotbesubjectedtotrafcman-agement.Thesemayrepresenteitherin-pathnetworkde-viceswithvariousbugs,orbugsinend-systemTCPstacks,ratherthanpacketsinjectedbyaseparatetrafcmanage-ment/disruptionsystem.JustasRSTinjectorscanshowclearsignatures,wecanngerprintsomebenignsourcesofunexpectedRSTsaswell.Wediscussthesecasesrst,followedbylikely-non-injectedRSTsforwhichwecouldnotdevelopaneffectivesignature.LegitimateResetsWithFingerprintCommonSYN/RSTSignatures:Weseealargenum-berofSYNRSTalertswithrepeatedsignatures,includingTTL128higherthanthetriggeringSYN(“SYN/RST128”),andaconstantIPIDof65259(“SYN/RST65259”).AsthesesignaturesdonotappeartohaveanygeographicorISPcommonality,weconsiderthemtoreectnon-injectedsources.RSTSignatures:Threeotherseeminglybe-nignsignaturesare(i)RSTswithasequencenumberofzero(“0-SeqRST”),(ii)sendingmultipleRSTswithIPID0withinalimitedsequencenumberrange(“IPID0”),and(iii)hoststhatgeneratespuriousRSTSEQDATAandDATASEQRSTerrorswithaRSTpacketwithIPID0inactiveows(“IPID0Solo”).Tracesoftheseappearquitepeculiar;wesuspectthebehaviorisduetomiddleboxorend-hostbugs.StaleRSTs:WeobservedarareRSTSEQDATAalertgen-eratedbyourinstitute'smailserver.Furtherexaminationshowsthecause:Asystem(presumablyaspambot)con-tactingthemailserverrstreceivesaSYN/ACK,priortoablacklistcheckcausingtheservertoterminatetheconnec-tion.Severalsecondslater,thepresumedspambotconnectsagain,usingthesameTCPsourceport(inviolationoftheTCPspec).ThissecondSYNisacknowledgedwithadiffer-entsequencenumber,afewpacketsareexchanged,andthenthemailserversendsaTCPRSTwiththesequencenumberoftherstow,creatingacompletelyout-of-sequenceRSTthattripsthedetector.Wetermthissituation“StaleRST”.SpambotSYN/RSTBug:Weobservednon-injectedRSTsduetoanapparentlybuggycustomTCPstackinspambots.Thesesystemsatrstcommunicatenormally,andthenforunknownreasonsgenerateanout-of-sequencepacketwithbothSYNandRSTagsset,andpayloadcontainingpor-tionsofaspammessage.DNSSYN/RST:WendthatDNSserverscangenerateSYNRSTalertsonTCPcommunication,forunknownrea-sons.Thisappearstobebenignactivitycausedbytheend-system.:InanearlytesttraceofColumbiatrafc,weobservedmorethan300distinctRSTSEQDATAandDATASEQRSTalertsinvolvingcommunicationbetweenColumbia'sthreePlanetLabnodes.Wedonotknowthecause,butduetoPlanetLab'sexperimentnatureweex-cludedthese.7.2.2AmbiguousCasesHTTPServers:Severaldomains,includingGoogleandYahoo,showrareDATASEQRSTandRSTSEQDATAalertswithHTTP/HTTPSconnections.WeassumethatthesedomainsdonotperformactivetrafcmanagementviaRSTinjection;manualexaminationdidnotrevealanyap-parentcause.WespeculatethistrafcisduetobugsorraceconditionsinHTTPload-balancersemployedbythesesites.Forexample,theICSItraceshows18instancesofRSTSEQDATAalertsgeneratedbyad1.p1.vip.rm.sp1.yahoo.com,wheretwoMTU-sizeddatapacketsaresentfollowedbytwoRSTpackets.TherstRSTpackethasasequenceequaltothestartoftheseconddatapacket,andthesecondRSTpacketcomesproperlyinsequence.Man-uallyexaminingoneoftheseconnectionsshowsanappar-entlynormalrequesttooneofYahoo'sadservers.Googlegeneratessimilaralerts,aswellasDATASEQRSTalerts.Wewerenotabletodevelopangerprintforsuchload-balancers,andthusconsiderWebserversthatgenerateonlyRSTSEQDATAandDATASEQRSTalertsasprobablynon-injectedsources.However,theWebserverofoneparticularsite,flightglobal.org,doesshowaverydistinctngerprint.OnanHTTP302(“Temporarilymoved”)errorinapersistentconnection,insteadofsend-inganormaldatapacketitsendsaTCPRSTpacketwiththepayloadcontainingtheHTTP“ObjectMoved”mes-sage.Notonlydoesthisnotmakesense,buttheRSTpacket'ssequencenumberequalsthatofthepreviousdatapacket:aRSTSEQDATAerror.SMTPSYNRSTalerts:Unlesswendasignicantclus-tering(e.g.,theYournetalertsinSection7.1.4),SYNRSTalertsaresocommonfromSMTPclientsthatwemusttreatthemasnon-injectedsources.InefcacyofSomeTests:Wendthreeofthealerts—RSTACKCHANGE,SYNRST,andSYNACKRST—non- denitiveontheirown.Wecansometimescorrelateacrossalerts(suchastheJapaneseSMTPinterferenceandtheBezeqIntinjector)tocreateaglobalpictureorngerprint,butinisolationthesealertsdonotprovideconvincingevi-denceofinjection,soweconsiderthemaslikelynotreect-inginjectedRSTs.ConfusedMultipacket:AlthoughRSTSEQCHANGEisaneffectivetoolatngerprintinginjectors,weoccasion-allyseeobviouslyanomalouscases,wherethesecondRSTpacketisveryclose(200)orveryfaraway(�4x)fromthelastdatapacket'spositioninthesequencespace.Wedonotconsidertheseaspartofdeliberateinjectionactivityunlesswecanngerprinttheminsomeothermanner(suchastheSandvineinjector),becausefordeliberateinjectionthechoiceofincrementwouldbeineffectiveandhenceispuzzling.Infosystems:WehaveobservedasingleSMTPserverbelongingtoHansonSystemsthatshowsunusualbe-havior.Itcouldbeend-hostsoftwareoritcouldbeRSTinjectionthatistriggeringonthemessage.Thishostgen-eratesRSTSEQDATAalertswhentheICSImailserverat-temptstoforwardauser'sspamtothissite.TheremotemailserverissuesarejectionmessageimmediatelyfollowedbyaRSTpacketwithsequenceequaltothepreviouspacket'sstartingsequence,aRSTSEQDATAerror.NATs:OneinternalhostatICSIgenerated30alertsduringoperation,almostallRSTSEQDATAalerts,withoneDATASEQRSTalert.Investigationrevealedthatthesourceisnotanend-hosthostbutaNAT,sowesuspectthattheRSTsresultfromerroneousstateexpirationonthepartoftheNAT.(Erroneousbecausetheconnectionwasactiveatthetimeoftermination.)Wesuspectthatsomeaddressescountedas“unknown”inTable2mightlikewisebeduetoNATs.8ConclusionsInthisworkwedevelopanefcientdetectorforforgedTCPRSTpackets,asdeployedforexamplebysomeISPstomanageP2Ptrafc,aswellasbythe“GreatFirewallofChina”tocensorcommunicationdeemedundesirablebytheChinesegovernment.OurdetectoridentiesinjectedRSTsbyexploitingtheraceconditionsthatout-of-bandin-jectorsfundamentallyface.Wethenfurtherleveragetheid-iosyncraticpeculiaritiesspecictomanybrandsofinjectorstongerprinttheirparticulartype.Usingdatasetsfromfournetworksites,ourevaluationisabletoconrmtheuseofRSTinjectionbyseveralISPs.WealsoobservethatmultipledistinctinjectorsoperateinChina.Assometimestheyareindependentlyattemptingtoblockthesameconnection,theymayhavebeeninstalledbylocalISPs,independentofthe“GreatFirewall”.Inaddi-tiontotrafcmanagementandcensoring,wealsondRSTinjectionusedasatooltocounterspamandvirusspreading.Ourstudyalsoshowsthelimitsofpassivemonitoringtodetectactivetrafcinterference.Themostfundamen-tallimitationstemsfromlikelybenignin-networkdevices,oftenend-hosts,thatproduceabnormaleffectssimilartothoseobservedwhenRSTsareinjected.Asregularlyex-periencedbynetworkresearchers,thevarietyobservedinnetworktrafcincludesmanysituationsnotcoveredbyanyRFC;inourcasethatmeansRSTssentbybuggyTCPstacksandmisbehavingmiddle-boxes.Wethereforede-signedourinjectiondetectortooperateinaconservativefashion,correlatingseveraldistinctpropertiestoensurere-liableresults.OurexperiencesalsohighlightthepitfallsonecanencounterifassumingthatpeculiarRSTsnecessarilyreecttrafccontrol.9AcknowledgmentsSpecialthankstoAngelosKeromytis,GabrielaCretu,andAngelosStavrouforrunningourdetectorattheirin-stitutions,JimMellanderforsuggestingdesynchronizationthroughpacketinjection,andChristianKreibichforhisfeedbackduringthisprocess.ThisworkwasfundedinpartbyNSFgrantsCNS-0722035andITR/ANI-0205519.Anyopinions,ndings,conclusions,andrecommendationsexpressedinthismate-rialarethoseoftheauthorsanddonotnecessarilyreecttheviewsofthefundingsource.References[1]MartinArlittandCareyWilliamson.AnAnalysisofTCPResetBehaviourontheInternet.SIGCOMMComput.Com-mun.Rev.,35(1):37–44,2005.[2]BitTorrent,www.bittorrent.com.[3]DonBowman.Privatecommunication.[4]AnneBroache.AT&T:WeDon'tThrottleP2PTraf-c.http://news.cnet.com/8301-10784_3-9929158-7.html?part=rss&subj=news&tag%=2547-1_3-0-5.[5]RichardClayton,StevenMurdoch,andRobertWatson.Ig-noringtheGreatFirewallofChina.In6thWorkshoponPri-vacyEnhancingTechnologies,2006.[6]ComcastCorporation:DescriptionofCurrentNetworkMan-agementPractices.http://downloads.comcast.net/docs/Attachment_A_Current_Practices..[7]CommentsofComcastComporation.http://fjallfoss.fcc.gov/prod/ecfs/retrieve.. [8]JedidiahR.Crandall,DanielZinn,MichaelByrd,EarlBarr,andRichEast.ConceptDoppler:AWeatherTrackerforIn-ternetCensorship.In14thACMConferenceonComputerandCommunicationSecurity(CCS),2007.[9]MarcelDischinger,AlanMislove,AndreasHaeberlen,andKrishnaP.Gummadi.DetectingBitTorrentBlocking.InInternetMeasurementConference,2008.[10]EFF“TestYourISP”Project.http://www.eff.org/testyourisp.[11]Ernesto.ComcastThrottlesBitTorrentTrafc,SeedingImpossible.http://torrentfreak.com/comcast-throttles-bittorrent-traffic-seeding-impossible.[12]JamesFallows.TheConnectionHasBeenReset.AtlanticMonthly,March2008.[13]FCCAnnouncesPublicEnBancHearinginCambridge,MAonBroadbandNetworkManagementPractices,http://hraunfoss.fcc.gov/edocs_public/280194A1.pdf.[14]A.Heffernan.RFC2385:ProtectionofBGPSessionsviatheTCPMD5SignatureOption,1998.[15]LaurentJoncheray.ASimpleActiveAttackAgainstTCP.InProceedingsofthe5thUsenixSecuritySymposium,1995.[16]EddieKohler,RobertMorris,BenjieChen,JohnJannotti,andM.FransKaashoek.TheClickmodularrouter.ACMTransactionsonComputerSystems,18(3):263–297,2000.[17]MaxMindGeoIPAddressLocationTechnology.http://www.maxmind.com/app/ip-location.[18]CadeMetz.CoxPullsaComcastwitheDonkey,http://www.theregister.co.uk/2007/11/.[19]VernPaxson.Bro:ASystemforDetectingNetworkIn-trudersinReal-Time.ComputerNetworks,31(23–24):2435–2463,1999.[20]JonPostel.RFC793-TransmissionControlProtocol,1981.[21]A.Ramaiah,R.Stewart,andM.Dalal.Improv-ingTCP'sRobustnesstoBlindIn-WindowAttacks.Internet-Draft,http://tools.ietf.org/html/draft-ietf-tcpm-tcpsecure-09,2008.[22]SandvineIntelligentTrafcManagement,http://www.sandvine.com/solutions/p2p_policy_.[23]UmeshShankarandVernPaxson.ActiveMapping:Resist-ingNIDSEvasionWithoutAlteringTrafc.InProc.IEEESymposiumonSecurityandPrivacy,2003.[24]TheSnortIDS,www.snort.org.[25]DugSong.dsnifftools.http://www.monkey.org/˜dugsong/dsniff.[26]BroadbandNetworkManagement,http://systems.cs.colorado.edu/mediawiki/index.php/.[27]FirstResultsfromVuzeNetworkMonitoringTool,http://cache2.vuze.com/docs/internet_.[28]PaulA.Watson.SlippingintheWindow:TCPResetAttacks.Presentationat2004CanSecWest,http://cansecwest.com.ATheCompleteDetectorToolboxForamoreprecisedescriptionofourtoolbox,wein-troducesometerminology.Eachdetectorworksonaper-connectionbasis.Aconnectionconsistsoftwosequencesofpackets,oneperdirection:theoriginatorsendspackets(p1;p2;:::;pn)andtherespondersends(p1;p2;:::;pm).Asmuchofourdiscussionissymmetricintermsofdi-rectionality,hereweconsideronlydetectionoforiginator-sideactivity.Weindicateapacket'sTCPagsbywritingpags,whereagsisasubsetoffS;A;F;Rgcorrespond-ingtowhichofSYN,ACK,FIN,andRSTareset.WeusepDtoindicateadatapacket(whichwillhaveACKset,butnotSYN,FIN,orRST).seq(p)isthesequencenumberofpacketp;ack(p)theACKnumber;len(p)theTCPpayloadlength;andtime(p)thepacket'stimestamp.Whenwecom-paresequence/acknumbers,wedosoinaccordancewithTCP'ssequencespace(e.g.,taking32-bitwrap-aroundsintoaccount).(i)yieldsthelargestindexjsothattime(pi)�time(pj),pinpointingthemostrecentpacket(relativetopi)intheoppositedirection.Finally,foreasiernotationwede-neapredicateearlier(p;ags;[same-dirkopp-dir]),whichistrueifandonlyifthereexistsapacketearlierthanp,sentbyeitherthesameendpoint(same-dir)ortheoppositeone(opp-dir),thathasoneofthespeciedagsset.Ifthedi-rectionisomitted,thepredicateholdsifsuchapackethasbeenseenineitherdirection.Usingthisterminology,Ta-ble3providestheprecisedenitionforourdetectors.BOpen-SourceInjectorImplementationsAlthoughwedidnothaveaccesstothetools/deviceswedetectedinourdatasets,thereareopen-sourceRSTinjec-torsavailablethatwestudied:twoseparateplug-insforthistaskthatcomewiththeSnortNIDS[24];therstutilitythatcomeswiththeBroNIDS[19];andtcpkill,astand-alonetoolforRSTinjection[25].Wend(asdiscussedbelow)thateachtoolcraftsitsRSTpacketssomewhatdifferently.WhiletheTCPstandardmandatessomepacketheaderelementsforinjectedRSTs(e.g.,IPaddressesandports),othereldsexhibitmorefree-dom.InSection4wesystematicallydiscusstherangeofchoicesavailabletoaninjector.Mostinjectorswillsendpacketstobothendhosts,reversingtheSYNandACKeldsforthepacketsinthereversedirection. Snort(asofversion2.8.1)hastwopluginsabletoper-formRSTinjection.Theolderplugin,sprespondsendsasinglepacketineachdirectionwitharandomIPID,arandomTTL,andzerowindowsize.Thenewerplugin,sprespond2sendsbydefault3RSTstoeachendpoint.IneachitsetstheTTLtooneoffourvalues(dependingonthetriggeringpacket)andselectsarandomIPID.TherstRSTisinitializedwiththecurrentSEQnumber,withsub-sequentRSTsincreasingtheACKnumberbyhalftheTCPwindowsize,butnotincrementingthesequencenumber.Althoughsprespond2hasthesamebasiclogicbugastheBezeqinjectorofincrementingtheACKinsteadoftheSEQeld,thedifferentACKincrementandconstantIPIDfortheBezeqinjectorsuggestthattheseareindependentim-plementations.TheBroNIDScomeswithanexternaltool,rst,whichtakestheconnection's4-tupleaswellasthemostrecentlyobservedsequencenumbersasarguments.TheinjectedRSTshaveaTTLof255,IPIDandwindowsizeof0,andtheSEQandACKvaluefromthearguments.Thetoolgen-eratesacontrollablenumberofRSTsineachdirection;ifsendingmorethanone,thenitalsoinsertsfakedatapack-etswithrisingsequencenumbersinbetweentoattempttoadvancethesequencepointiftherstRSTisignored,witheachdatapacketisfollowedbyanin-sequenceRST.tcpkillshipsaspartofthedsnifftoolboxandistheonlyinjectorthatoperatesinasingledirection.Itmonitorsanet-worklinkvialibpcapandselectsasubsetofTCPpacketsasspeciedbyauser-suppliedBPFexpression.Foreach(non-control)packet,tcpkillsends(bydefault)threeRSTsbacktothepacket'ssourceaddress.WhenbuildingtheRSTs,itsetstheTTLto64,picksarandomIPID,keepsthepacket'swindowsize,andsetsthesequencenumbertotheACKnumberplusitimesthewindowsize,withi=0::2accordingtothenumberoftheRSTsent.ItsetstheRST'sACKnumbertozero.Althoughalltheseinjectorshavepotentialngerprints,wedidnotnoticeanyofthembeingusedinasignicantamount.Real-WorldIPIDsandTTLsIninitialexperimentsaimedatunderstandingwhichofaRST'sfeaturesaninjectiondetectorcanrelyon,weexam-inedIPIDandTTLvaluesindepthbeforeconcludingthattheydidnotprovidesuitablecriteriafordetectinginjectedRSTs.Astheseeldscaninprinciplebefreelychosenbyaninjector(seeSection4),wethoughtthatatleastasubsetofforgedRSTswouldbedetectablebyobservinginconsis-tentchoiceswithinindividualows.However,asisoftenthecaseduetonetworktrafc'svariability,wefoundthatthesevaluesarehighlyvolatileevenwithinnormalnetworktrafc.Todemonstratethis,weexaminedoneweekofourresearchinstitute'sbordertrafc,startingonApril18,2008.Thedatasetincluded4,033,204ows,25.0%ofwhichhadmorethan10packetsfromeitherthesourceorthedestina-tion.Westartedbytestingwhethertheresultsonthepreva-lenceofRSTtrafcfrom[1]held.Ofallows,about5%wereterminatedwithanoriginator-sideRSTand0.6%witharesponder-sideRST.Whilelowerthanthe15%gureintheoriginalstudy,thegeneralobservationstillholds:asig-nicantportionofconnectionsareterminatedviaRSTs.Ingeneral,wefoundthattheTTLsoftheRSTpacketsvariedmarkedlyfromthepreviousdatapacket.Examin-ingonlyRST-terminatedows,forabout7%ofthoseter-minatedbytheoriginatortheRSTpacket'sTTLdiffered;thisroseto28%forresponder-terminatedows.WemightexpectsuchTTLdifferencestobeminor,butinfactthevolatilitywasoftenveryhigh,withTTLchangesclusteringaround64,96,128,and192,withasignicantnumberofseeminglyarbitrarydifferences.3Wealsoconrmedthataffectedowswerenotparticu-larlyunusual.Werandomlyselected200owswheretheRSTpacketshadadifferingTTL,20owswheretheclientwasvolatileand20wheretheserverwasvolatile,ineachof5TTLranges.Ofthese,onlytwoowsappearedtobeunusual(theseowstriggeredourdetector).Thus,weconcludethattherecommendationin[5]toig-noreRSTpacketswithunusualTTLswillsufferfromsig-nicantfalsepositives.WealsoexaminedtheIPIDvolatilityontheseresetcon-nections.Fororiginator-terminatedconnections,36%usedanincrementconsistentwiththecurrentow;34%werefourtimesthenormalincrement;abitunder1%hadaRSTIPIDof0;another1%usedthesameIPIDastheprevi-ouspacket;abitover1%usedtwicethenormalincrement;0.5%usedthreetimesthecurrentincrement;and27%hadnoapparentrelation.Wefoundasimilardistributionforresponder-terminatedconnections.Thus,althoughweusebothTTLandIPIDtongerprintinjectors(Section7),wedonotndthesetobeeffectivedistinguishersofinjectedRSTpackets.3WealsoobservedasimilarlevelofTTLvolatilitybetweenSYNsanddatapackets,aswellasbetweendatapacketsandFINs. NameDescriptionDenitionRSTSEQDATAOutdatedRSTfollowingdata.(pD;pR+1);whereseq(pi+1)seq(pi)+len(pi+1);andtime(pi+1)time(pi)T1;and:earlier(pi;FjR)DATASEQRSTDatafollowingaRST.(pR;pD+1);whereseq(pi+1)+len(pi+1)�minjiseq(pR);andtime(pi+1)time(pi)T1RSTSEQCHANGEMultipleRSTswithincreasingseq.(pR;pR+1);whereseq(pi+1)�seq(pi)+2;andseq(pi+1)�maxjseq(pj);andseq(pi+1)&#xi000;maxj(i)ack(pj)+2;andtime(pi+1)time(pi)T1;and:earlier(pi;F);and:earlier(pi;R;opp-dir)RSTACKCHANGEMultipleRSTswithincreasingack.(pR;pR+1);whereack(pi+1)=2fack(pi);seq(pi);0g;andack(pi+1)�maxj(i)seq(pj)+2;andtime(pi+1)time(pi)T1;and:earlier(pi;F);and:earlier(pi;R;opp-dir)SYNRSTRSTafterSYN.(pS;pR+1);wheretime(pi+1)time(pi)T2;and:earlier(pi;any;opp-dir)SYNACKRSTRSTafterSYN/ACK.(pSAi;pR+1);wheretime(pi+1)time(pi)T2;and:earlier(pi;any;opp-dir)Table3.DetectorToolbox.SeeAppendixAforterminologyandSection5fortherationalebehindchoosingT1=2secandT2=0:1sec.