Re: Small TCP packets == very large overhead == DoS?

From: Eric Vyncke (evynckeat_private)
Date: Mon Jul 09 2001 - 08:20:50 PDT

Next message: aleph1at_private: "Check Point response to RDP Bypass"

Previous message: Elmaizi, Karim: "Cayman-DSL Model 3220-H DOS with nmap"
Maybe in reply to: Darren Reed: "Small TCP packets == very large overhead == DoS?"
Next in thread: David LeBlanc: "RE: Small TCP packets == very large overhead == DoS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Darren,

Interesting email...

If the attack is done through bad client specifying a ultra small MSS, at 
least, the server should be able to track them. As doing IP spoofing with 
TCP is difficult if the ISN are random enough.

If the attack is done through generated ICMP unreachable cannot fragment 
(mimicking the PMTUD process), well, the attacker needs to be on the path 
to be able to include the failed IP packet (mainly for TCP ports). And if 
the attacker is on the path, I'm pretty sure that he/she could do more 
damage anyway.

Having said this, I'll go to my web servers and check what their smallest 
MSS is ;-)

Just my still falling (!) 0.01 EUR

-eric

Next message: aleph1at_private: "Check Point response to RDP Bypass"
Previous message: Elmaizi, Karim: "Cayman-DSL Model 3220-H DOS with nmap"
Maybe in reply to: Darren Reed: "Small TCP packets == very large overhead == DoS?"
Next in thread: David LeBlanc: "RE: Small TCP packets == very large overhead == DoS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 11:23:10 PDT