Internet Explorer and TCP RST - a reason to dislike

Internet Explorer and TCP RST
Through my online lifetime, I've have a variety of preferences in terms of web browsers. For a long time it was based on personal preferences; now it's based on hard technical facts.

First I liked Netscape and detested Internet Explorer, mainly on general principle (Microsoft being Microsoft, and all that). Then, as Netscape slowly rotted (and failed to fix the "reload the page when resizing the window" issue), I gravitated to IE, as at least a more functional solution. Then when Firefox came out, I moved away from IE again, preferring tabbed browsing, decent cookie handling (I'm a privacy nut), popup blocking, and a more pleasant feeling experience. These days, I still much prefer Firefox, although IE doesn't feel quite so bad as it did; in essence the three things above (tabs, cookies, popups) are dealt with adequately. All in all, IE7 didn't seem like too shabby a bit of software; a bit of a copycat derivative with nothing magically new to catch my attention, but still none too shabby.

Until a few weeks ago, when all that changed. It's a bit of a story to get there, but the journey helps explain why I feel the way I do, so bear with me.

It all started with some network changes at work; the result of these was to have a new ISA firewall (the Microsoft firewall/filtering/proxy product) between my WAN site and the rest of our WAN sites (including the site that has our internet connection). After deploying this, we started getting some reports of sporadic web browsing weirdness, with connections stalling and IE doing nothing (while claiming that it was loading). After some poking, I found some odd looking logs on the ISA firewall; it looked like it was blocking valid connections, but it was blocking the reverse, i.e. if my PC connected from some random port X (say, 10001) to HTTP (port 80) on a webserver at another site on the WAN, there would sometimes be logs saying that ISA blocked a "connection" with source port 80, destination port 10001, because it wasn't a SYN packet. I initially thought ISA was losing the plot completely and blocking valid traffic, but after calling Microsoft and poking around, all became clear. Internet Explorer (and possibly IIS in some circumstances), was closing connections by sending a packet with the TCP "RST" (Reset) flag set. The webserver still had some packets in flight, or had sent a final FIN, or FIN/ACK, or the like, and ISA was seeing these final packets, and deciding they were "out of state" because the connection had already been ruthlessly terminated by IE with the RST.

After some more tests, I found that IE was using keepalives, but when I closed the window while the connection was still alive, it sent a RST rather than a FIN. IE also sent a RST in a number of other conditions such as stopping a page loading, linking to another page etc, although not in an overly obvious pattern (the pattern is there, I just didn't spend a long time figuring it out). This seemed odd, so I perused the RFC for TCP/IP. It quite clearly indicates, repeatedly, that a RST is to be used when the connection gets out of sync (e.g. duplicate SYNS, or other anomalies). In fact, Page 36 says:
"As a general rule, reset (RST) must be sent whenever a segment arrives which apparently is not intended for the current connection. A reset must not be sent if it is not clear that this is the case."
Quite clearly, wanting to close a connection is not a case for sending a RST; the RFC even uses the magic words "MUST NOT" (not capitalised in the original), which in RFC terminology is the strongest prohibition possible.

There IS a well-defined way to close down a connection properly, and that is to send a FIN, get an ACK and a FIN back, send an ACK. Internet Explorer does do that, sometimes, if it feels like it, but more often than not, it simply aborts the connection with a TCP RST.

The annoying thing is, this behaviour is largely functional. Your average TCP/IP stack will handle receiving a RST and assume something went wrong. It works, but it is just SO WRONG. It defies the RFC and it is a thoroughly nasty thing to do, kind of ike hanging up the phone every time without saying goodbye, while the other person is still halfway through saying goodbye. It results in useless logs on firewalls (ISA obviously, but presumably others as well in the right conditions). It's just plain WRONG.

For reference, this has been studied before, but does not appear to be widely known or commented on (I was surprised to find out, and had to hunt high and low to find any references at all). A most interesting paper on it is at, titled "An Analysis of TCP Reset Behaviour on the Internet". They have some coherent arguments for why this behaviour is undesirable, and some very interesting numbers.

So, now you know why I don't like Internet Explorer. Not because of it's notorious security flaws (not so common these days, but still occuring), not just because it's from Microsoft. No, none of that. I don't like it, because it deliberatly flouts, breaks, and abuses the common standards on which the Internet is built. If you're a geek who cares about the internet and proper standards, spread the word. I've yet to find any feedback point at Microsoft to complain about this; if you know, please contact me so I can rant in the right direction.