Dailydave mailing list archives
Re: TCP Resource Exhaustion DoS Attack Speculation
From: "Dave Korn" <dave.korn () artimi com>
Date: Wed, 8 Oct 2008 10:30:35 +0100
Fyodor wrote on 02 October 2008 11:57:
if I figure out or independently discover an issue. There was lots of speculation on DailyDave about the DNS flaws, and I think I've figured out this "new" vulnerability. The vague description and symptoms match those for a DoS tool (Ndos) I wrote and used years ago. I just posted a detailed description of the problem and its implications here: http://insecure.org/stf/tcp-dos-attack-explained.html
Interesting idea, but I think that's not it. I think they're leaving the sockets on the victim in a closing state, either TIME_WAIT or CLOSE_WAIT, and I think they're manipulating the victim stack to prolong this state to arbitrary (ridiculously long, maybe years) durations, probably by playing games with sACKs or maybe PAWS, or by misleading the RTT measurements into coming out with silly values. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- TCP Resource Exhaustion DoS Attack Speculation Fyodor (Oct 05)
- Re: TCP Resource Exhaustion DoS Attack Speculation Dave Korn (Oct 10)