[o11c]

(If the author is reading this: bad formatting for fin: and acknumdiff: )

Once again a discussion that covers RST injection attacks fails to consider the one case I actually saw in the wild ...

My observation involved long-lived (much longer than typical for HTTP) TCP connections with low-but-nonzero traffic (there was an application-layer heartbeat). For at least some US residential IPs (some with effectively static allocation) connected to a datacenter, they would reliably get RST injected (to the client only, not the server) after being connected long enough (usually a couple hours, but not any obvious pattern).

[supriyo-biswas]

In my very populous country, the largest ISP will inject resets if it's over IPv4 and idle for more than 10 seconds :)

These things are unfortunately rather common. This is also why I run SSH with a 5 second heartbeat duration, for example.

[patrakov]

Is the server on OVH? This is a known "feature" of their DoS protection that cannot be turned off.

[accrual]

Maybe a fun idea - run an application on both sides of a remote TCP connection that records but doesn't respond to TCP RST packets. Then see how many times you get "reset".

[geocar]

You can just drop RST packets.

    iptables -I INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP
    iptables -I INPUT -p tcp --tcp-flags ALL RST -j DROP

[o11c]

That looks like exactly what I did, but it was a pain trying to get random users to do run code as root.

[thelastparadise]

Why do I find this so funny...