Write failed: Broken pipe

Well done! Also, you didn't packet me off the Internet, which was nice :)

Bet you can't do it with one packet though!

Sorry for the beginner questions, but how did the remote port change from 80 to 4007? Are you NATed on both ends? And, how did you go about getting the IP:port of your local router? Are you using some tool, or do you have root on your office router?

Nah not silly questions at all.

I changed the remote port from 80 to 4007 because I figured my web server might get DoS'd :)

I have a crappy cable modem which is kind of a "research problem" to root, so I did the netstat on the web server end to get the local port.

Could it have been your NAT which terminated the connection due to inactivity ?

Quite a few stacks have implemented RFC5961, which should make this attack rather challenging.

(Though, I totally agree with the fundamental problem).

PREFIX: this is going to sound really cynical. Also, I haven't read RFC5961, so thanks :)

Yeah, actually it might have been. But I prefer to give HN the benefit of the doubt.

Umm I try and be gentle. But let's talk about the fundamental problem, since you appear to understand it.

TCP-RST DoS is like the worst denial of service ever, since it has such massive negative amplification. You're spending like something like 30k * (required window guess packets) to interrupt one connection, which requires like say less than 10 packets to re-establish. Unless you're talking about BGP, which shit, we normally use TCP-MD5 for anyway. Even commodity home bullshit throws most of your packets away for free.

I take things quite slowly. The normal HN methodology is to go "Incorrect. blah blah blah.". Reality is nuanced and complicated. I try and avoid doing that, because honestly most statements are actually right when you squint at them the right way. Unfortunately, I get the most fake internet points when I say stupid and ultimately unsupportable bullshit while drunk. I still try to avoid doing that :/ But ahhhh here I go anyway.

The nuanced version of this is that most people's devices are going to get DoS'd way harder by fake ipsec traffic which forces checksums in CPU than it is by out of sequence packets which get handled in hardware.

But why don't we live in this fantasy world where we can all terminate TCP connections with imaginary sniper packets and ipsec solves everything.

> fake ipsec traffic

..., most of it, is filtered out by the replay protection at virtually no processing cost. The HMAC verification is not exactly a CPU killer either, even less so if there's some sort ASIC/accelerator involved, which won't be that unusual if there is an IPsec involved.

To not multiple the comments - what I said above about a single TCP packet obviously implies being on the route between the parties.

> ..., most of it, is filtered out by the replay protection at virtually no processing cost

Really? Think about that and reply, given the ability of your adversary to send arbitrary traffic.

> To not multiple the comments - what I said above about a single TCP packet obviously implies being on the route between the parties.

How is this seriously distinguishable from MITM? I mean what the hell. Come on you're stretching definitions here.

Uhhh anyway, I think in about 5 years you might be right. Practically speaking no consumer hardware has ipsec embedded but hopefully everyone will in the next few years.

The last time I was in Taiwan working on ASIC hardware none of the white brands did (and most of the big brands are just buying that crap and re-labelling it). Yeah designed in $country? Nah. Taiwan is super good at design, they just need the vendor and the label on the box. Anwyay, that was 2 years ago though, and I was just doing consumer bullshit.

In case you're interested (and you're probably not) the ASIC NAT hardware was the only there coz it enabled the anemic CPU to NAT at the box rated speed. Unfortunately it also turns out, that's why most home users can't seriously torrent or do nice things :( Damn ASICs.

People wonder sometimes why "open source" version is more expensive, and in terms of consumer routers, it's because the pure linux versions don't have the secret sauce. You gotta use more CPU and memory. It's a worthwhile trade-off for not putting up with a real RTOS. But also, good luck MIMO 450 Mbps wireless N using just the broadcom CPU at the rated Mhz :) I'm not even sure if they license the drivers for open source now, I know they definitely didn't before.

There are some really hilarious things which happen where like $marketing from $vendor decide that not only they need a custom enclosure (everyone needs that), but that the box would look way better if the antennas were arranged in certain way. This triggers multiple all-nighters from the engineers who have to relayout the boards and redo the EMC tests.

Wait, I'm way off topic. I think my original point is that you probably don't have ipsec in hardware at home. I await brutal smackdown, coz the community is knowledgable.