TCP RST attack detected on file upload cut

2008-11-21 Thread Diego Ballve 
Hello,

I'm observing an odd situation where restlet is involved: pull the net
cable during file upload and router (hardware box, not Router.class)
detects TCP RST attack and blacklist our server for access from subnet.

This is the topology:
- office subnet: client application
- office router: NAT
- remove server: Apache HTTPS proxying to localhost
- remove server: Restlet with default HTTP connector

The behavior can be consistently reproduced with our setup and access to
remote server is temporarily blocked to entire office subnet. The client
application makes a GET and then a POST w/ a big file, so that I have
time to pull the plug, and that's it.

I tried reading a bit about TCP RST attack but so far I do not know how
to avoid this problem, except for disabling the attack detection in the
router or telling people not to pull the plug during upload. If anybody
has some insights to share, I appreciate.

Thanks,
Diego

-- 
Diego Ballve
Digital Artefacts Europe
http://www.digital-artefacts.fi/

Re: TCP RST attack detected on file upload cut

2008-11-22 Thread Rob Heittman 
Anything you can share about the router model that is doing the blacklisting
(and its firmware version)?  It sounds like an overly aggressive attack
pattern check on the router's part -- never seen anything like this before
and people abort their uploads to our Restlet powered servers all the time.
 If I am fortunate enough to have the appropriate hardware/firmware around I
would be happy to snoop some packets and check it out, but otherwise I think
this is probably going to be really, really tough to reproduce.
On Sat, Nov 22, 2008 at 2:59 AM, Diego Ballve <
[EMAIL PROTECTED]> wrote:

> The behavior can be consistently reproduced with our setup and access to
> remote server is temporarily blocked to entire office subnet. The client
> application makes a GET and then a POST w/ a big file, so that I have
> time to pull the plug, and that's it.
>

Re: TCP RST attack detected on file upload cut

2008-11-24 Thread Diego Ballve 
Hello Rob,

Thanks for answering. The router in question is a 3C:
Software Version1.04-168
Hardware Version02.01
3C Number   3CR860-95

And it looks like you're right on the 'overly aggressive attack pattern
check', it's a model specific issue. For reference:
http://www.dslreports.com/forum/remark,14974812

I'll try to trim the parameters here.

Regards,
Diego

Rob Heittman wrote:
> Anything you can share about the router model that is doing the
> blacklisting (and its firmware version)?  It sounds like an overly
> aggressive attack pattern check on the router's part -- never seen
> anything like this before and people abort their uploads to our Restlet
> powered servers all the time.  If I am fortunate enough to have the
> appropriate hardware/firmware around I would be happy to snoop some
> packets and check it out, but otherwise I think this is probably going
> to be really, really tough to reproduce.
> 
> On Sat, Nov 22, 2008 at 2:59 AM, Diego Ballve
> <[EMAIL PROTECTED]
> > wrote:
> 
> The behavior can be consistently reproduced with our setup and access to
> remote server is temporarily blocked to entire office subnet. The client
> application makes a GET and then a POST w/ a big file, so that I have
> time to pull the plug, and that's it.