I've been reading about the TCP protocol recently because I was a little curious about how and why certain flags were used.
In the information I found it talks about a normal close TCP FIN should be used to close a connection but then it also talks about TCP RST can be used for an abortive close on an active connection.
My question is, why would one use a RST to abort/close an active connection over using TCP FIN?
(Referring to an active connection as a connection where both endpoints sent and received data after the standard 3 way handshake. I know a RST can be used by the server when a client sends SYN for a server port that is not listening)
You wouldn't normally see a TCP RST. I suppose an application at layer 7 aborting might generate a RST, but I think you'll find that a RST is most often generated by a firewall between the two hosts. Here's a list of possible reasons from the TCP/IP guide:
Receipt of any TCP segment from any device with which the device receiving the segment does not currently have a connection (other than a SYN requesting a new connection).
Receipt of a message with an invalid or incorrect Sequence Number or Acknowledgment Number field, indicating the message may belong to a prior connection or is spurious in some other way.
Receipt of a SYN message on a port where there is no process listening for connections.
Some webservers use RST instead of FIN to close (persistent) connections. This is seen as an "optimisation", because it avoids the "half-closed" state and sidesteps some of the issues with missed FIN packets (any further transmission will just produce another RST), that would otherwise require state to be remembered (2xMaximum segment time IIRC) for longer on the server side.
See: this paper and wikipedia on connection termination. (I'll try and dig out some more interesting references too).
You might also see RST if application with the socket crashed (segfault?), host rebooted, or NAT table entries timed out before the connection itself did!
This is an edge case but I find it interesting:
Some filtering software like web sense (ab)uses RST packets. What happens is that instead of websense sitting between all the traffic it sniffs traffic off the wire. If it sees a blocked site it spoofs an RST packet to the client (and I think maybe the server as well).
This is more of a clever trick then it is an intended use though.
TCP is a reliable protocol. So in any case the message should not be lost in any direction, during the full life-cycle of a TCP connection. Connection termination is the last part. So TCP should make sure that all packets were delivered before closing the connection.
FIN
is used to close TCP connections gracefully in each direction, while TCPRST
is used in a scenario where TCP connections cannot recover from errors and the connection needs to reset forcibly. As per this tcp connection termination article,RSET
is used in abnormal conditions.