[21409] in bugtraq
Re: Small TCP packets == very large overhead == DoS?
daemon@ATHENA.MIT.EDU (Eric Vyncke)
Mon Jul 9 14:22:40 2001
Message-Id: <4.3.2.7.2.20010709172029.01fe5448@brussels.cisco.com>
Date: Mon, 09 Jul 2001 17:20:50 +0200
To: bugtraq@securityfocus.com
From: Eric Vyncke <evyncke@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Darren,
Interesting email...
If the attack is done through bad client specifying a ultra small MSS, at
least, the server should be able to track them. As doing IP spoofing with
TCP is difficult if the ISN are random enough.
If the attack is done through generated ICMP unreachable cannot fragment
(mimicking the PMTUD process), well, the attacker needs to be on the path
to be able to include the failed IP packet (mainly for TCP ports). And if
the attacker is on the path, I'm pretty sure that he/she could do more
damage anyway.
Having said this, I'll go to my web servers and check what their smallest
MSS is ;-)
Just my still falling (!) 0.01 EUR
-eric
