[21611] in bugtraq
Re: Small TCP packets == very large overhead == DoS?
daemon@ATHENA.MIT.EDU (Crist Clark)
Wed Jul 18 13:20:19 2001
Message-ID: <3B54D654.FD3AC922@globalstar.com>
Date: Tue, 17 Jul 2001 17:20:36 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Guess we were all having too much fun at Black Hat/DEFCON.
-------- Original Message --------
Subject: Re: Small TCP packets == very large overhead == DoS?
Date: Sun, 15 Jul 2001 20:29:41 -0600
From: aleph1@securityfocus.com
To: Crist Clark <crist.clark@globalstar.com>
References: <200107092228.IAA26460@caligula.anu.edu.au> <3B4AFF8D.5D6A0A89@depaul.edu> <3B4B3F9F.47ABD9C6@globalstar.com>
It appears I this message felt through the cracks. Please, feel free to
post it again.
* Crist Clark (crist.clark@globalstar.com) [010710 11:47]:
> John Kristoff wrote:
> > Darren Reed wrote:
> > > Silly window sizes aren't so bad. If you have a window size of one then
> > > you only ever have one outstanding piece of data sent at a time. So if
> > > I have 16k of data, it might take 32k or more packets, but I can only send
> > > one packet at a time.
> >
> > With a window size of 1, a misbehaving receiver might be able to
> > anticipate packets injected into the network by the sender. The
> > receiver could aggressively generate ACKs before data is actually
> > received (bypassing typical delayed ACK mechanisms). This may be more
> > of a problem for the sender if the rate of 1-byte ACKs is high. If the
> > connection and receiver's address could be spoofed, bursts of 1-byte
> > segments from the sender can be sent to an innocent victim as part of a
> > tinygram DoS attack.
>
> OK, now we are getting away from MSS issues and moving completely into
> "Daytona" TCP attacks. Daytona attacks are independent of any real or
> imagined MSS issues, but it is possible that toying with the MSS could
> amplify the effects of a Daytona attack.
>
> http://www.cs.washington.edu/homes/savage/papers/CCR99.pdf
>
> --
> Crist J. Clark Network Security Engineer
> crist.clark@globalstar.com Globalstar, L.P.
> (408) 933-4387 FAX: (408) 933-4926
>
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above. If
> the reader of this e-mail is not the intended recipient, or the employee
> or agent responsible to deliver it to the intended recipient, you are
> hereby notified that any review, dissemination, distribution or copying
> of this communication is strictly prohibited. If you have received this
> e-mail in error, please contact postmaster@globalstar.com
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
