Re: FIN_WAIT_1 DoS (netkill): Why the vulnerability still exists?

[stanislav shalunov <shalunov () internet2 edu>]

woods () weird com (Greg A. Woods) writes:

> [ On , July 24, 2001 at 15:05:10 (-0400), stanislav shalunov wrote: ]

> > (I'd rather throw away random connections, with preference to those
> > that eat a lot of buffer space).
>
> That seems illogical given the nature of the problem.

[Suggestions on how to make changes to the kernel to make a particular
netkill script ineffective snipped.]

It's a solution to the wrong problem.  You assume very specific
scenario and then proceed to state that attackers won't even change it
to the extent of sending another packet per connection.  Can you
somehow substantiate this statement?  What exactly will prevent them
from adding a dozen more lines to netkill?  You must have a very
optimistic threat model.

Your scenario also assumes that it'll be necessarily new FIN_WAIT_1
connections that eat the buffer space instead of addressing a general
problem: What do you do when your finite buffer space is exhausted
while TCP spec tells you you need to maintain yet more state?

At any rate, BUGTRAQ isn't the place to solve this general problem.
Tsvwg might be...

-- 
Stanislav Shalunov              http://www.internet2.edu/~shalunov/

Letters in this message are closer than they appear.