Bugtraq mailing list archives

Re: Small TCP packets == very large overhead == DoS?

From: "Crist Clark" <crist.clark () globalstar com>
Date: Tue, 17 Jul 2001 17:20:36 -0700

Guess we were all having too much fun at Black Hat/DEFCON.

-------- Original Message --------
Subject: Re: Small TCP packets == very large overhead == DoS?
Date: Sun, 15 Jul 2001 20:29:41 -0600
From: aleph1 () securityfocus com
To: Crist Clark <crist.clark () globalstar com>
References: <200107092228.IAA26460 () caligula anu edu au> <3B4AFF8D.5D6A0A89 () depaul edu> <3B4B3F9F.47ABD9C6 () 
globalstar com>

It appears I this message felt through the cracks. Please, feel free to
post it again.

* Crist Clark (crist.clark () globalstar com) [010710 11:47]:

John Kristoff wrote:

Darren Reed wrote:

Silly window sizes aren't so bad.  If you have a window size of one then
you only ever have one outstanding piece of data sent at a time.  So if
I have 16k of data, it might take 32k or more packets, but I can only send
one packet at a time.


With a window size of 1, a misbehaving receiver might be able to
anticipate packets injected into the network by the sender.  The
receiver could aggressively generate ACKs before data is actually
received (bypassing typical delayed ACK mechanisms).  This may be more
of a problem for the sender if the rate of 1-byte ACKs is high.  If the
connection and receiver's address could be spoofed, bursts of 1-byte
segments from the sender can be sent to an innocent victim as part of a
tinygram DoS attack.


OK, now we are getting away from MSS issues and moving completely into
"Daytona" TCP attacks. Daytona attacks are independent of any real or
imagined MSS issues, but it is possible that toying with the MSS could
amplify the effects of a Daytona attack.

  http://www.cs.washington.edu/homes/savage/papers/CCR99.pdf

-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com


-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Current thread:

Re: Small TCP packets == very large overhead == DoS?, (continued)
- - Re: Small TCP packets == very large overhead == DoS? Crist Clark (Jul 19)
- Re: Small TCP packets == very large overhead == DoS? Eric Vyncke (Jul 09)
- RE: Small TCP packets == very large overhead == DoS? Russ (Jul 09)
  - Re: Small TCP packets == very large overhead == DoS? Darren Reed (Jul 10)
    - RE: Small TCP packets == very large overhead == DoS? David LeBlanc (Jul 10)
- Re: Small TCP packets == very large overhead == DoS? gregory duchemin (Jul 09)
- Re: Small TCP packets == very large overhead == DoS? Darren Reed (Jul 09)
  - Re: Small TCP packets == very large overhead == DoS? John Kristoff (Jul 10)
  - Re: Small TCP packets == very large overhead == DoS? Brett Lymn (Jul 10)
- RE: Small TCP packets == very large overhead == DoS? Franck Martin (Jul 10)
- Re: Small TCP packets == very large overhead == DoS? Crist Clark (Jul 18)