Re: a cheesy Apache / IIS DoS vuln (+a question)

[Michal Zalewski <lcamtuf () dione ids pl>]

On Thu, 4 Jan 2007, Michal Zalewski wrote:

> On Thu, 4 Jan 2007, William A. Rowe, Jr. wrote:
>
>   2) Theoretical window size limits and commonly implemented settings do
>      have a side effect of making such attacks more feasible for
>      attackers with a very limited bandwidth available. There's probably
>      not that much difference between a 10 MB and a 1 GB window size,
>      anyway: the attacker can establish a dial-up connection to ISP A,
>      initiate a series of 5000x requests with 10 MB window size, then
>      reconnect to ISP B, and continue to slowly and calmly spoof ACKs
>      as coming from his previous IP to the attacked server (he knows
>      all the sequence numbers). It would take 40 bytes to generate next
>      10 MB of traffic within an established connection, so it still
>      sounds like fun for a guy who has a 4 kB/s link. And that's why I
>      asked whether there was any research done on such issues.

A kind reader pointed me off the list to this excellent paper that happens
to explore this vector in more detail (making the "Range" behavior more of
an issue for certain senders):

  Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse
  Rob Sherwood, Bobby Bhattacharjee, Ryan Braud
  Published in Computer and Communications Security (CCS) 2005
  http://www.cs.umd.edu/~capveg/optack/optack-ccs05.pdf

Cheers,
/mz