Re: TCP Resource Exhaustion DoS Attack Speculation

["Dave Korn" <dave.korn () artimi com>]

Fyodor wrote on 02 October 2008 11:57:

> if I figure out or independently discover an issue.  There was lots of
> speculation on DailyDave about the DNS flaws, and I think I've figured
> out this "new" vulnerability.  The vague description and symptoms
> match those for a DoS tool (Ndos) I wrote and used years ago.
>
> I just posted a detailed description of the problem and its
> implications here:
>
> http://insecure.org/stf/tcp-dos-attack-explained.html

  Interesting idea, but I think that's not it.  I think they're leaving the
sockets on the victim in a closing state, either TIME_WAIT or CLOSE_WAIT, and
I think they're manipulating the victim stack to prolong this state to
arbitrary (ridiculously long, maybe years) durations, probably by playing
games with sACKs or maybe PAWS, or by misleading the RTT measurements into
coming out with silly values.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave