Re: RST's and ACK's and stealth scans

[Steve Bellovin <smb () research att com>]

> Quick questions about TCP/IP traffic
> 1. What does it mean when I see a Reset accompanied with an ACK?
>
> That is... someone told me that if I see a packet that only has the RESET flag
> set, this means that the connection was terminated (Or not allowed to
> establish).
> But, they said, If I see a packet that contains a RESET with the ACK bit set
> then although the connection was refused, this is evidence that some service
> was at least listening enoguh to Acknowlege.
>
> 2. Can I assume that when My firewall sends RST that the packet reveals
> nothing more than the fact that the connection was refused,whether the ACK bit
> is set or not?
>
> 3. If RST was sent and window size is 0 (ACK or no ACK) I conclude that my
> firewall really does not want to talk... Is this a correct conclusion?

This is far too complicated a set of questions for a quick answer
However -- RST without ACK means "connection refused", which generally
means that there's nothing listening on that port.

Once a connection is set up (that is, has transitioned to ESTABLISHED
state), all packets will carry the ACK bit.  They must also carry an
acceptable sequence number.  These provisions both apply to RST messages,
too.  In this case, though, a RST means that the other side has aborted
the connection for some reason.

The window size on an ACK packet is irrelevant.

What flavor RST your firewall should send depends on the connection
state; if it gets it wrong, the remote side probably won't listen.
That's definitely the case for a bare RST on an established connection.

For more details, see RFC 793 and/or a good text on TCP, such as
Stevens' ``TCP/IP Illustrated, Volume I''.