Re: a cheesy Apache / IIS DoS vuln (+a question)

[Rob Sherwood <capveg () cs umd edu>]

On Thu, Jan 04, 2007 at 12:45:35PM +0100, Pieter de Boer wrote:
> Michal Zalewski wrote:
> >  2) Negotiate a high TCP window size for each of the connections (1 GB
> >     should be doable),
> >  
> For instance, FreeBSD by default has TCP send buffers set to 32KB. It 
> does not (apart from recent work) do dynamic buffer sizing. 32KB is all 
> you get. Sysadmins probably raise this value, but, especially with large 
> amounts of connections, it can't be set too high or mbufs will run out. 
> I'd guess people wouldn't set it to much more than 1MB or such.

Correct. rfc2414 says the initial sender window should be:

          min (4*MSS, max (2*MSS, 4380 bytes))              

So you can't just connect, request, and drop the connection to get a GB
of traffic.  The attacker must send acks periodically.

> Concluding, I think your suggested attack might work, but it would need 
> a braindead configuration on the sender's end to be really effective. 
> It's probably easier just to send some ACKs now and then..

This is exactly the attack described in CERT Advisory [VU#102014]
(http://www.kb.cert.org/vuls/id/102014)

and: 

Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse
Rob Sherwood, Bobby Bhattacharjee, Ryan Braud
Published in Computer and Communications Security (CCS) 2005
(http://www.cs.umd.edu/~capveg/optack/optack-ccs05.pdf)


- Rob Sherwood
.