Bugtraq mailing list archives
Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists?
From: woods () weird com (Greg A. Woods)
Date: Tue, 24 Jul 2001 16:10:23 -0400 (EDT)
[ On , July 24, 2001 at 15:05:10 (-0400), stanislav shalunov wrote: ]
Subject: Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists? (I'd rather throw away random connections, with preference to those that eat a lot of buffer space).
That seems illogical given the nature of the problem.
You definitely want to start cleaning up by throwing away connections in
the FIN_WAIT_1 state. Starting with the oldest ones may have less
impact on valid connections than simply clobbering random ones, and/or
clobbering the ones with the most buffers used.
If you've got some way to tell which connections have ever successfully
transmitted some valid data packets (i.e. gone beyond the handshake and
received any ACKs) then you might initially drop only the connections
which have not ever transmitted any data (er, received any valid ACKs
for sent packets). I guess it is possible for the attacker(s) to work
around this first-level defense though and ACK one or two data packets
first, but will they? :-)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods () acm org> <woods () robohack ca>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- FIN_WAIT_1 DoS: Why the vulnerability still exists? Manas Garg (Jul 24)
- Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists? stanislav shalunov (Jul 24)
- Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists? Greg A. Woods (Jul 25)
- Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists? stanislav shalunov (Jul 26)
- Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists? Greg A. Woods (Jul 25)
- Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists? stanislav shalunov (Jul 24)