{"id":17048194,"url":"https://github.com/darkk/rstlss","last_synced_at":"2025-04-07T05:17:08.258Z","repository":{"id":66481326,"uuid":"182250275","full_name":"darkk/rstlss","owner":"darkk","description":"Proof-of-concept of an unprivileged Linux process using a BPF filter to block RST packets","archived":false,"fork":false,"pushed_at":"2019-04-19T12:22:51.000Z","size":3,"stargazers_count":498,"open_issues_count":0,"forks_count":4,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-31T04:07:10.980Z","etag":null,"topics":["deep-packet-inspection","dpi","lulz"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/darkk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-19T10:48:47.000Z","updated_at":"2025-03-13T14:52:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"3d9995e4-6db2-4683-8af3-c69a92f8aae9","html_url":"https://github.com/darkk/rstlss","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkk%2Frstlss","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkk%2Frstlss/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkk%2Frstlss/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkk%2Frstlss/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/darkk","download_url":"https://codeload.github.com/darkk/rstlss/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247595335,"owners_count":20963943,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deep-packet-inspection","dpi","lulz"],"created_at":"2024-10-14T09:51:18.625Z","updated_at":"2025-04-07T05:17:08.233Z","avatar_url":"https://github.com/darkk.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"rstlss (RST-less TCP)\n=====================\n\n`rstlss` is an example of an unprivileged Linux process using a BPF filter to\nblock certain TCP packets coming to the socket.\n\nThis specific example shows how to circumvent one-sided [TCP reset attack](https://en.wikipedia.org/wiki/TCP_reset_attack)\nby an _on-path_ DPI box [blocking](http://isitblockedinrussia.com/?host=https%3A%2F%2Frutracker.org)\n`https://rutracker.org` (as _Inappropriate TCP Resets Considered Harmful_). :-)\n\n_On-path_ DPI box is assumed to be _passive_, being unable to _drop_ packets,\njust being able to inject some.\n\n_One-sided TCP reset attack_ means that RST packet is injected only towards the\n\"client\" endpoints and the \"server\" does not get another RST. E.g. some networks\nin [Uganda block OpenVPN/TCP](https://ooni.torproject.org/post/uganda-social-media-tax/#vpn-blocking)\nwith two-sided TCP reset attacks. One has to control the server as well to\nmitigate two-sided attack.\n\n## Example\n\nFollowing tests were done on 2019-04-19 from AS8997, OJSC Rostelecom. The\nvantage point observes blocking of HTTPS websites by means of SNI-based\ndetection and one-sided RST injection to block connections.\n\n### Desktop Linux\n\nIt just runs and just works:\n\n```\n$ go build .\n$ ./rstlss\npanic: Get https://rutracker.org/robots.txt: read tcp 192.168.100.223:34176-\u003e195.82.146.214:443: read: connection reset by peer\n\ngoroutine 1 [running]:\nmain.main()\n        /home/darkk/go/src/github.com/darkk/rstlss/main.go:72 +0x69a\n$ RSTLSS=1 ./rstlss | grep -C 3 rutracker\nAllow: /forum/viewforum.php?f=\nAllow: /forum/viewtopic.php\nDisallow: /\nHost: rutracker.org\n\nUser-agent: Adsbot-Google\nUser-agent: Googlebot-Image\n$\n```\n\n### Android\n\nThe binary is run with awesome [Termux](https://termux.com/) after\ncross-compiling the binary at the desktop:\n\n```\n$ CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build .\n```\n\nAndroid PoC needs DNS server specified manually due to\n[golang/go#8877](https://github.com/golang/go/issues/8877) and\n[`net.dns1` hidden](https://developer.android.com/about/versions/oreo/android-8.0-changes.html#o-pri)\nsince Android 8.0. One can get DNS server from _Network Details_:\n\n```\n$ RSTLSS_DNS=192.168.100.1:53 ./rstlss\npanic: Get https://rutracker.org/robots.txt: read tcp 192.168.100.136:39882-\u003e195.82.146.214:443: read: connection reset by peer\n\ngoroutine 1 [running]:\nmain.main()\n        /home/darkk/go/src/github.com/darkk/rstlss/main.go:72 +0x544\n$ RSTLSS_DNS=192.168.100.1:53 RSTLSS=1 ./rstlss | grep -C 3 rutracker\nAllow: /forum/viewforum.php?f=\nAllow: /forum/viewtopic.php\nDisallow: /\nHost: rutracker.org\n\nUser-agent: Adsbot-Google\nUser-agent: Googlebot-Image\n$\n```\n\n## Outro\n\nThis technique does not protect from malicious data being injected and\neffectively terminating the connection (e.g. HTTP redirect, TLS Alert or random\ngarbage for authenticated TLS connection). Doing MAC within 4096 opcodes limit\nof a BPF program (~11 opcodes per dword) is left as an exercise for the reader.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkk%2Frstlss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarkk%2Frstlss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkk%2Frstlss/lists"}