rstlss—Proof-of-concept of an unprivileged Linux/Android process using a BPF filter to block RST packets

Small example of using BPF to block TCP RST by @darkk. Works on Android, does not require root.

rstlss is an example of an unprivileged Linux process using a BPF filter to block certain TCP packets coming to the socket.

This specific example shows how to circumvent one-sided TCP reset attack by an on-path DPI box blocking (as Inappropriate TCP Resets Considered Harmful ). :slight_smile:

On-path DPI box is assumed to be passive , being unable to drop packets, just being able to inject some.

One-sided TCP reset attack means that RST packet is injected only towards the “client” endpoints and the “server” does not get another RST. E.g. some networks in Uganda block OpenVPN/TCP with two-sided TCP reset attacks. One has to control the server as well to mitigate two-sided attack.


Note that you can’t use eBPF on Android: bpf() syscall is blocked by seccomp (it’s allowed only for system, but not for user applications). Android seccomp whitelists all syscalls in SYSCALLS.TXT, and then blacklists some, or whitelists missing. Since bpf() is missing from SYSCALLS.TXT and not whitelisted for applications, we can’t use bpf() on stock Android.

You can still use regular BPF (don’t confuse it with bpf() syscall which is used for eBPF).

cBPF and eBPF support test example for Android, C source code and armv7/arm64 binaries. (6.0 KB)

More information here: