Sustainable Sustworks - Tools for Internet Travel
Inspired Tools for the Mac

Search




Application Note 1002

Resolving Promiscuous Resets

Consider the following scenario

You are attending a Macintosh conference where many people are using AirPort wireless to access the Internet from their laptops. For no apparent reason, many web sites are slow or fail to come up on the first attempt. Your web browser reports "connection refused" or "the connection was reset".

You may be experiencing promiscuous resets.

What happened

Someone on your LAN is running a firewall configured to Reject connection requests to port 80 (HTTP). They then decide to use a monitoring tool that sets their interface to promiscuous mode. In promiscuous mode, their firewall is rejecting all connection requests for port 80 (HTTP), not just those addressed to their machine.

When you try to access a web site, the connection request is Reset by their firewall before the remote site can respond.

IPNetSentryX includes a feature to work around this problem. When it detects a TCP Reset segment, it delays it for 0.5 seconds giving the remote site a chance to respond first. If the Reset is legitimate, it will still be delivered normally. If the remote site does respond, the Reset will be ignored since it arrives out of order.

This problem only occurs if both machines are on the same LAN segment. If they are separated by a switch, the promiscuous interface will no longer see your connection requests. Apple has also implemented a fix so that newer systems will not send promiscuous resets via AirPort.

See for yourself

You can demonstrate this behavior if you have two machines on the same LAN with IPNetSentryX. Setup one machine to reject connection requests to port 80 like this:

Next, use the TCP Dump tool to set the desired interface to promiscuous mode:

When you try to access the web from another machine on this LAN, connections will be refused.

Now enable IPNetSentryX on your other machine with a configuration that includes delaying promiscuous resets:

The match count for the Delay action increments and normal web access is restored.

Key Features

IPNetSentryX provides an effective defense against hostile or misconfigured firewalls that generate promiscuous TCP resets.

Please send questions, comments, or suggestions using our general requests form:

http://www.sustworks.com/site/sup_questions.html

Top

Back to IPNetSentryX Application Notes

 

 


© 2000-2003 Sustainable Softworks Privacy Policy Contact Us