Howdy all,
I’m new to the list, and was brought here by googling
for “TCP Reset cause:)”, which in turn brought me to the post at:
http://www.ethereal.com/lists/ethereal-users/200404/msg00203.html
I thought I’d throw out a bit more information I
discovered for your enjoyment.
I’ve been chasing packets that I suspect are related
to the Q Trojan. The most interesting characteristics of these packets
include:
Same SRC, Spoofed 255.255.255.255
Same SRC
Port – 31337
Same DST
Port – 515
RST and ACK bits are set
IP ID = 0
TTL = 14
And each lists “Reset cause: cko” in the RST
segment.
At first, I expected the “cko” payload might be
the result of encryption used by the Q Trojan. I had high hopes I could
track variants based on this payload, until I found
http://www.sonicwall.com/services/pdfs/technotes/SonicOS_TCP_RST.pdf
This document details the various RST codes used by SonicOS
(Sonic Firewalls, etc.). As per their OS, they define three types of
resets (Connection Cache Cleanup Resets, SYN Flood Protection Resets, and
Responsive Resets). Each type has further information on the behavior of
that OS, and a list of RST Codes that are included in the RST Segment of the
packet.
The
connection cache cleanup uses the following RST codes:
• cki - TCP reset
sent to the initiator.
• cko - TCP reset
sent to the responder.
The
connection cache cleanup uses the following RST codes:
• cki - TCP reset
sent to the initiator.
• cko - TCP reset
sent to the responder.
SonicWALL
security appliances use the following responsive TCP RST codes:
• ehfp –
Sent if non-standard FTP DATA ports are disallowed, and a non-standard port is
encountered. Keeps the command channel open (SonicOS Enhanced only).
• ehih –
Sent in response to a violation of TCP Handshake enforcement (i.e. where an
invalid flag is received during the 3 way TCP handshaking process).
• ehnc –
Sent upon encountering an inbound packet that does not have a connection cache
entry. This RST is not sent in response to other RST packets to avoid RST
packet storms.
• fpts - Sent if
non-standard FTP DATA ports are disallowed, and a non-standard port is
encountered. Keeps the command channel open (SonicOS Standard and Pre-SonicOS
operating systems only).
• nboop - Sent by
stateful NNTP code in the event of out-of-order data.
• rctcpi –
Sent to Trusted sources in the event of an Access Rule violation.
• rctcpo –
Sent to Untrusted sources in the event of an Access Rule violation, but only if
Stealth Mode is off.
• rlc – Sent
to enforce licensing restrictions (i.e. connection limit exceeded).
• wlb – Sent
by WAN Load Balancing TCP probe code (SonicOS Enhanced only).