Small example of using BPF to block TCP RST by @darkk. Works on Android, does not require root.
rstlss is an example of an unprivileged Linux process using a BPF filter to block certain TCP packets coming to the socket.
This specific example shows how to circumvent one-sided TCP reset attack by an on-path DPI box blockinghttps://rutracker.org (as Inappropriate TCP Resets Considered Harmful ).
On-path DPI box is assumed to be passive , being unable to drop packets, just being able to inject some.
One-sided TCP reset attack means that RST packet is injected only towards the “client” endpoints and the “server” does not get another RST. E.g. some networks in Uganda block OpenVPN/TCP with two-sided TCP reset attacks. One has to control the server as well to mitigate two-sided attack.
Note that you can’t use eBPF on Android: bpf() syscall is blocked by seccomp (it’s allowed only for system, but not for user applications). Android seccomp whitelists all syscalls in SYSCALLS.TXT, and then blacklists some, or whitelists missing. Since bpf() is missing from SYSCALLS.TXT and not whitelisted for applications, we can’t use bpf() on stock Android.
See https://github.com/aosp-mirror/platform_bionic/tree/master/libc
You can still use regular BPF (don’t confuse it with bpf() syscall which is used for eBPF).
