Bugtraq mailing list archives
Re: a cheesy Apache / IIS DoS vuln (+a question)
From: Rob Sherwood <capveg () cs umd edu>
Date: Thu, 4 Jan 2007 13:47:00 -0500
On Thu, Jan 04, 2007 at 12:45:35PM +0100, Pieter de Boer wrote:
Michal Zalewski wrote:2) Negotiate a high TCP window size for each of the connections (1 GB should be doable),For instance, FreeBSD by default has TCP send buffers set to 32KB. It does not (apart from recent work) do dynamic buffer sizing. 32KB is all you get. Sysadmins probably raise this value, but, especially with large amounts of connections, it can't be set too high or mbufs will run out. I'd guess people wouldn't set it to much more than 1MB or such.
Correct. rfc2414 says the initial sender window should be: min (4*MSS, max (2*MSS, 4380 bytes)) So you can't just connect, request, and drop the connection to get a GB of traffic. The attacker must send acks periodically.
Concluding, I think your suggested attack might work, but it would need a braindead configuration on the sender's end to be really effective. It's probably easier just to send some ACKs now and then..
This is exactly the attack described in CERT Advisory [VU#102014] (http://www.kb.cert.org/vuls/id/102014) and: Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse Rob Sherwood, Bobby Bhattacharjee, Ryan Braud Published in Computer and Communications Security (CCS) 2005 (http://www.cs.umd.edu/~capveg/optack/optack-ccs05.pdf) - Rob Sherwood .
Current thread:
- a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 03)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Michal Zalewski (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Gadi Evron (Jan 08)
- Re: a cheesy Apache / IIS DoS vuln (+a question) Rob Sherwood (Jan 04)
- Re: a cheesy Apache / IIS DoS vuln (+a question) William A. Rowe, Jr. (Jan 09)
- Re: a cheesy Apache / IIS DoS vuln (+a question) bugtraq (Jan 10)