Comcast (along with Sandvine) has been in the news recently for blocking Bittorrent (and apparently Notes and Google) traffic using forged TCP RSTs. Examples of this behavior can be found at the following locations:
http://www.dslreports.com/forum/remark,18926539 http://forums.somethingawful.com/showthread.php?threadid=2669968 http://torrentfreak.com/images/comcast-rst1.txt In each case above, the genuine faux RSTs come in pairs and the sequence number of the second RST is 12503 bytes higher than the first. This presumably ensures that at least one of the RSTs is within the receiver's window. Assuming that 12503 is a constant offset, what's so special about it? Why not a nice, round number like 12500, 3000, 16000 or something based on the window size? (Using Sandvine to DoS your neighbors is left as an exercise for the reader.) _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
