• LOGIN
  • No products in the cart.

Reading News The GTD Way

china

Someone’s noticed
a very interesting fact about firewall filtering that relies on session
sniping, i.e. killing connections with RST packets. Namely, it’s rather
trivial to bypass.

For those who are into this sort of thing, the idea is very simple. China
blocks people from going to certain sites by having their firewall kill
browser sessions that contain certain banned keywords.

This particular security technique is based on sitting in between the users
and the Internet, monitoring for banned words at the firewall, and then
sending “kill packets” to the client when they ask for something China
doesn’t want them to see. These “kill packets” (RSTs) tell the requesting
computer to drop the connection immediately, which results in the user not
getting the page they were looking for. Simple enough.

Unfortunately for China,
it’s fairly trivial to drop various types of packets using a firewall on
the client side.

In other words, the entire content filtering system is based on client
systems receiving and responding normally to the firewall’s kill packets. If
the client simply drops those packets, i.e. ignores them, then their session
will continue on as if there were no filtering device in place at all.

And to make it even cooler, one can use TTL values to determine which RST
packets are probably legitimately coming from the endpoint, and which are
coming from a security device in the middle. So one could say, for example,
“Drop all incoming packets with the RST flag set that have a TTL less than
x.”

Of course, the firewall admin could exploit that rule by increasing the TTL
on their outgoing RSTs, but then one could simply open up the rule and drop
all RSTs. Cat and mouse, as usual.

Anyway, the idea’s quite interesting and it’ll be fun to see how it plays
out.

May 23, 2025

0 responses on "Reading News The GTD Way"

Leave a Message