Re: TCP receive window set to 0; DoS or not?

[Jim Shankland <nanog () shankland org>]

Richard A Steenbergen <ras () e-gerbil net> writes:
> Advertising a window of 0 is a perfectly valid way of telling the other
> side that you are temporarily out of resoruces, and would like them to
> stop sending you data....

Except that that's not what's going on here.  This message appears
when the TCP peer shrinks the window, withdrawing a previously granted
permission to send bytes -- a protocol violation.  For example, you're
free to tell me (with your window advertisement) that you're
authorizing me to send you 32K bytes, and then, after I've sent you
32K bytes, to close the window until you're ready to accept more.
You're not free to tell me it's OK to send 32K bytes, then change your
mind and advertise a window size of 0 after I've sent you only 16K
bytes.

To address the "DoS" question, I don't see how this protocol violation
enables a DoS attack.  More likely, it's simply somebody's buggy
TCP stack misbehaving.  That "somebody" is unlikely to be Windows, MacOS,
FreeBSD, or Linux.  My money is on some flavor of $50 NAT/"home router"
box.

Jim Shankland