Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists?

[stanislav shalunov <shalunov () internet2 edu>]

Manas Garg <mls () chakpak net> writes:

> Stanislav Shalunov has described it fairly well and following is one
> of the locations where what he wrote can be found:
> http://security-archive.merton.ox.ac.uk/bugtraq-200004/0156.html

This particular archive HTMLizes messages, so it may be inconvenient
to get the code out of there.  See
http://www.internet2.edu/~shalunov/netkill/

> Solaris (2.8): Well, it silently discarded the old connections to keep the
>                number of connections to 450 (approximately). Didn't check the
>                RAM and swap on this machine but what matters is that it was
>                taking some action to avoid a FIN_WAIT_1 DoS attack.

Solaris 2.8 doing something a good news.  However, I don't believe
that throwing away the oldest connections is the best strategy here
(I'd rather throw away random connections, with preference to those
that eat a lot of buffer space).

> 2. Is there a particular reason that this vulnerability still exists
> in these Opearting Systems?

Well, it isn't very obvious what to do about it.  And breaking the
standard is undesirable.  Soemthing has to be done about the spec.  Ad
hoc solutions, different for each OS, could easily lead to
unpredictable TCP reliability failures.

-- 
Stanislav Shalunov              http://www.internet2.edu/~shalunov/

Sex is the mathematics urge sublimated.                 -- M. C. Reed.