Re: Small TCP packets == very large overhead == DoS?

From: Crist Clark (crist.clarkat_private)
Date: Tue Jul 17 2001 - 17:20:36 PDT

Next message: Kuo, Jimmy: "RE: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039"

Previous message: Toomas Kiisk: "RE: W2k: Unkillable Applications"
Maybe in reply to: Darren Reed: "Small TCP packets == very large overhead == DoS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Guess we were all having too much fun at Black Hat/DEFCON.

-------- Original Message --------
Subject: Re: Small TCP packets == very large overhead == DoS?
Date: Sun, 15 Jul 2001 20:29:41 -0600
From: aleph1at_private
To: Crist Clark <crist.clarkat_private>
References: <200107092228.IAA26460at_private> <3B4AFF8D.5D6A0A89at_private> <3B4B3F9F.47ABD9C6at_private>

It appears I this message felt through the cracks. Please, feel free to
post it again.

* Crist Clark (crist.clarkat_private) [010710 11:47]:
> John Kristoff wrote:
> > Darren Reed wrote:
> > > Silly window sizes aren't so bad.  If you have a window size of one then
> > > you only ever have one outstanding piece of data sent at a time.  So if
> > > I have 16k of data, it might take 32k or more packets, but I can only send
> > > one packet at a time.
> > 
> > With a window size of 1, a misbehaving receiver might be able to
> > anticipate packets injected into the network by the sender.  The
> > receiver could aggressively generate ACKs before data is actually
> > received (bypassing typical delayed ACK mechanisms).  This may be more
> > of a problem for the sender if the rate of 1-byte ACKs is high.  If the
> > connection and receiver's address could be spoofed, bursts of 1-byte
> > segments from the sender can be sent to an innocent victim as part of a
> > tinygram DoS attack.
> 
> OK, now we are getting away from MSS issues and moving completely into
> "Daytona" TCP attacks. Daytona attacks are independent of any real or
> imagined MSS issues, but it is possible that toying with the MSS could
> amplify the effects of a Daytona attack.
> 
>   http://www.cs.washington.edu/homes/savage/papers/CCR99.pdf
> 
> -- 
> Crist J. Clark                                Network Security Engineer
> crist.clarkat_private                    Globalstar, L.P.
> (408) 933-4387                                FAX: (408) 933-4926
> 
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above.  If
> the reader of this e-mail is not the intended recipient, or the employee
> or agent responsible to deliver it to the intended recipient, you are
> hereby notified that any review, dissemination, distribution or copying
> of this communication is strictly prohibited.  If you have received this
> e-mail in error, please contact postmasterat_private

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Next message: Kuo, Jimmy: "RE: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039"
Previous message: Toomas Kiisk: "RE: W2k: Unkillable Applications"
Maybe in reply to: Darren Reed: "Small TCP packets == very large overhead == DoS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 08:14:22 PDT