Ethereal-users: [Ethereal-users] Reset Cause and further info (SonicOS Specific)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Dustin Decker" <dustin.decker@xxxxxxxxxxxxxxxx>
Date: Mon, 6 Sep 2004 09:15:14 -0500

Howdy all,

I’m new to the list, and was brought here by googling for “TCP Reset cause:)”, which in turn brought me to the post at:

http://www.ethereal.com/lists/ethereal-users/200404/msg00203.html

 

I thought I’d throw out a bit more information I discovered for your enjoyment.

 

I’ve been chasing packets that I suspect are related to the Q Trojan.  The most interesting characteristics of these packets include:

Same SRC, Spoofed 255.255.255.255

Same SRC Port – 31337

Same DST Port – 515

RST and ACK bits are set

IP ID = 0

TTL = 14

And each lists “Reset cause: cko” in the RST segment.

 

At first, I expected the “cko” payload might be the result of encryption used by the Q Trojan.  I had high hopes I could track variants based on this payload, until I found

http://www.sonicwall.com/services/pdfs/technotes/SonicOS_TCP_RST.pdf

 

This document details the various RST codes used by SonicOS (Sonic Firewalls, etc.).  As per their OS, they define three types of resets (Connection Cache Cleanup Resets, SYN Flood Protection Resets, and Responsive Resets).  Each type has further information on the behavior of that OS, and a list of RST Codes that are included in the RST Segment of the packet.

 

The connection cache cleanup uses the following RST codes:

• cki - TCP reset sent to the initiator.

• cko - TCP reset sent to the responder.


 

The connection cache cleanup uses the following RST codes:

• cki - TCP reset sent to the initiator.

• cko - TCP reset sent to the responder.


 

SonicWALL security appliances use the following responsive TCP RST codes:

• ehfp – Sent if non-standard FTP DATA ports are disallowed, and a non-standard port is encountered. Keeps the command channel open (SonicOS Enhanced only).

• ehih – Sent in response to a violation of TCP Handshake enforcement (i.e. where an invalid flag is received during the 3 way TCP handshaking process).

• ehnc – Sent upon encountering an inbound packet that does not have a connection cache entry. This RST is not sent in response to other RST packets to avoid RST packet storms.

• fpts - Sent if non-standard FTP DATA ports are disallowed, and a non-standard port is encountered. Keeps the command channel open (SonicOS Standard and Pre-SonicOS operating systems only).

• nboop - Sent by stateful NNTP code in the event of out-of-order data.

• rctcpi – Sent to Trusted sources in the event of an Access Rule violation.

• rctcpo – Sent to Untrusted sources in the event of an Access Rule violation, but only if Stealth Mode is off.

• rlc – Sent to enforce licensing restrictions (i.e. connection limit exceeded).

• wlb – Sent by WAN Load Balancing TCP probe code (SonicOS Enhanced only).


 

Dustin Decker