Guess we were all having too much fun at Black Hat/DEFCON. -------- Original Message -------- Subject: Re: Small TCP packets == very large overhead == DoS? Date: Sun, 15 Jul 2001 20:29:41 -0600 From: aleph1at_private To: Crist Clark <crist.clarkat_private> References: <200107092228.IAA26460at_private> <3B4AFF8D.5D6A0A89at_private> <3B4B3F9F.47ABD9C6at_private> It appears I this message felt through the cracks. Please, feel free to post it again. * Crist Clark (crist.clarkat_private) [010710 11:47]: > John Kristoff wrote: > > Darren Reed wrote: > > > Silly window sizes aren't so bad. If you have a window size of one then > > > you only ever have one outstanding piece of data sent at a time. So if > > > I have 16k of data, it might take 32k or more packets, but I can only send > > > one packet at a time. > > > > With a window size of 1, a misbehaving receiver might be able to > > anticipate packets injected into the network by the sender. The > > receiver could aggressively generate ACKs before data is actually > > received (bypassing typical delayed ACK mechanisms). This may be more > > of a problem for the sender if the rate of 1-byte ACKs is high. If the > > connection and receiver's address could be spoofed, bursts of 1-byte > > segments from the sender can be sent to an innocent victim as part of a > > tinygram DoS attack. > > OK, now we are getting away from MSS issues and moving completely into > "Daytona" TCP attacks. Daytona attacks are independent of any real or > imagined MSS issues, but it is possible that toying with the MSS could > amplify the effects of a Daytona attack. > > http://www.cs.washington.edu/homes/savage/papers/CCR99.pdf > > -- > Crist J. Clark Network Security Engineer > crist.clarkat_private Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmasterat_private -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 08:14:22 PDT