How to protect my eMule from ISP's TCP Reset Attack?

Discussion in 'LnS English Forum' started by Kaelthas, Apr 27, 2008.

Thread Status:
Not open for further replies.
  1. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    For months,my eMule has been attcking by ISP through TCP Reset packets!It loses conections with many servers nearly every ten minutes,I have reinstalled eMule,reinstalled my system,changed router,bought a new net card but nope!!And finally by some sniffers I get the packets exchanged between eMule and servers and know that our ISP uses some poisonsous RST packets to interrupt the connections between eMule and servers for limiting the bandwidth.I tried every possible means to complain to ISP but there are no way,so I need HERE someone help me to create some RAW rules to block all these attack!!​

    Servers that I can NOT connect for long time:
    ed2k://|server|193.138.205.25|5000|/
    ed2k://|server|85.17.52.92|5000|/
    ed2k://|server|85.17.52.124|5000|/
    ed2k://|server|193.138.221.214|4242|/
    ed2k://|server|193.138.221.213|4242|/
    ed2k://|server|77.247.178.244|4242|/

    Thanks in advance!!!!!

    Regards!!

    Kael
     
    Last edited: Apr 27, 2008
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    I'm afraid there is nothing to do against that.

    First, you have no control at all against Reset that are sent to remote servers.
    Secondly, for received Reset, it is probably very difficult to identify the ones to be filtered. And you can't filtered all Reset TCP packets, because they ar required anyway to have the TCP working properly.

    If you think Reset are only sent to your PC and not to remote servers, and if you have a way to differenciate between Reset sent by your ISP, and normal Reset coming from remote servers, then maybe it is possible to create a rule.

    Regards,

    Frederic
     
  3. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    Hi,Frederic,

    Thank you for your reply!!!

    I discovered that the some TCP packets with Flag AR and TTL is 114 but the normal one's TTL must be 45,so how can I create RAW RULES to block these RST packets?​

    Regards,
    Kale
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Here is a raw rule to block received TCP packets with the Reset flag enabled and with a TTL value of 114:
    http://looknstop.soft4ever.com/Rules/En/TCP Reset Rcv & TTL.rie
    You can edit it (with the plugin) and change the value of the field #3 if 114 is finally not correct.

    As I said before, this will just handle a reset your PC receives. If a reset is sent to the remote side too, the connection will be stopped anyway.

    Regards,

    Frederic
     
  5. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    Frederic,
    Thank you indeed!!I will try it as soon as possible.But tell me,if the RST packets are sent to both,how can I get the proof of our ISP's attack in the packets I received?I will try to take some legal action and I need the proof that the attack is from our ISP.Is there any way to find out where the packets are sent from (ISP's special IPs,ect)?​

    Thanks!!
    Regards!
    Kael
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Sorry, I don't know at all. I can just help you filtering packets, when possible, and if you specify them (like you did, by saying TTL is 114).

    Regards,

    Frederic
     
  7. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    Frederic,
    The above rule has NO effects,and someone at Linux forum tells me that this
    command :
    Code:
    iptables -I FORWARD -p tcp -d 192.168.0.0/24 --tcp-flags RST RST -j DROP
    
    It can help ML Donkey and aMule to avoid receiving those poisonous RST packets,can you tell me what the command means in detal? I am a novice to Unix.And can you please create a rule that has the same function of the command?Or finally we have to drop every RST packets---I know it's part of the TCP and we need it to handle the communication correctly,but if drop all these RST packets can make eMule walk smoothly I am glad to have all RST dropped even I can not use other internet apps when using eMule!

    Thanx!!
    Regards!!

    Kael'thas
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    The rule I created blocks incoming packets with the reset flag and with a TTL of 114. This is what you asked.
    I'm not surprised this is not sufficient. As I told you in the first post I don't think there is really a solution for that, especially if a Reset is sent to the remote server.
    Unfortunately, I don't know this linux command, if it blocks all Reset packets, it won't be a solution anyway, as I told you, they are required.

    Regards,

    Frederic
     
  9. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    Frederic,
    Thanx anyway!You mean that there is nothing we can do about it if we connect to the remote server via ISP....it's sad to know this!

    Regards,
    Kael'thas
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Unfortunately, large parts of the world are stuck with only one ISP. So, you have to choose between bad and nothing :D
     
  12. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    @Mrkvonic,
    Thank you for your reply,I have alrealdy been using the "protocol obfuscation",
    and no use, ISP locks the IP of those servers and sent RST to both sides,in this
    way the "protocol obfuscation" has no function.

    @Lucas1985,
    Yes, I can't agree more!!
     
  13. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
Thread Status:
Not open for further replies.