lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Jan 2007 13:47:00 -0500
From: Rob Sherwood <>
To: Pieter de Boer <>
Cc: Michal Zalewski <>,,
Subject: Re: a cheesy Apache / IIS DoS vuln (+a question)

On Thu, Jan 04, 2007 at 12:45:35PM +0100, Pieter de Boer wrote:
> Michal Zalewski wrote:
> >  2) Negotiate a high TCP window size for each of the connections (1 GB
> >     should be doable),
> >  
> For instance, FreeBSD by default has TCP send buffers set to 32KB. It 
> does not (apart from recent work) do dynamic buffer sizing. 32KB is all 
> you get. Sysadmins probably raise this value, but, especially with large 
> amounts of connections, it can't be set too high or mbufs will run out. 
> I'd guess people wouldn't set it to much more than 1MB or such.

Correct. rfc2414 says the initial sender window should be:

          min (4*MSS, max (2*MSS, 4380 bytes))              

So you can't just connect, request, and drop the connection to get a GB
of traffic.  The attacker must send acks periodically.

> Concluding, I think your suggested attack might work, but it would need 
> a braindead configuration on the sender's end to be really effective. 
> It's probably easier just to send some ACKs now and then..

This is exactly the attack described in CERT Advisory [VU#102014]


Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse
Rob Sherwood, Bobby Bhattacharjee, Ryan Braud
Published in Computer and Communications Security (CCS) 2005

- Rob Sherwood

Powered by blists - more mailing lists