[IP] Interesting query re: Comcast forging RSTs again (and now SYN/ACKs)?

[David Farber <dave@farber.net>]

________________________________________
From: Brett Glass [brett@lariat.net]
Sent: Monday, April 07, 2008 11:15 PM
To: David Farber; ip
Subject: Re: [IP] Comcast forging RSTs again (and now SYN/ACKs)?

David:

It appears that the student experimenters at CU designed their
experiment very poorly and then jumped to conclusions about the
results.

Firstly, they launched a "SYN flood" -- which any good intrusion
detection system will see as a "bot" and/or a direct DoS attack.
Comcast would have been well justified in cutting them off altogether
as a result of this behavior. But instead, it appears that their
traffic management system imposes a TCP connection limit (a
reasonable thing to do, especially on a connection that uses
NAT and might otherwise overflow the router's session tables). When
it saw too many SYNs, it began to block new connections. Not an
unreasonable thing to do.

Secondly, the students tried to connect to a Web server at a
nonexistent address. Many ISPs perform transparent Web caching, and
a transparent Web proxy handles this situation by fielding the
connection and trying to contact the destination host. If it fails
to do so, it can either send back its own error message or simply
send a RST (which results in the same browser error message that
would occur if there were no proxy). This is the normal behavior
of a device which speeds Web browsing and hence is consumer-friendly,
and certainly should not be a basis for bashing Comcast.

Finally, they claim that they have "observed" a shift in Comcast
network management policy, even though they did no tests before
Comcast claimed to be changing that policy. Without a control
in their experiment, how can they credibly make such a statement?

--Brett Glass


-------------------------------------------