Security Incidents mailing list archives
data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol))
From: Martin Mačok <martin.macok () underground cz>
Date: Wed, 29 Sep 2004 23:17:04 +0200
On Mon, Sep 27, 2004 at 05:00:22PM -0600, Tillman Hodgson wrote:
Data certainly can appear in SYN packets. RFC 793 section 3.4 allows data in SYN packets, saying ``this is perfectly legitimate, so long as the receiving TCP doesn't deliver the data to the user until it is clear the data is valid (i.e., the data must be buffered at the receiver until the connection reaches the ESTABLISHED state)''.
But the reality is different. Such payload will be ignored on some stacks, rejected by others and accepted by the rest. Comments from linux-2.4/net/ipv4/tcp_input.c:tcp_rcv_state_process() puts some light on it: [socket in TCP_LISTEN state, receiving SYN packet] /* Now we have several options: In theory there is * nothing else in the frame. KA9Q has an option to * send data with the syn, BSD accepts data with the * syn up to the [to be] advertised window and * Solaris 2.1 gives you a protocol error. For now * we just ignore it, that fits the spec precisely * and avoids incompatibilities. It would be nice in * future to drop through and process the data. * * Now that TTCP is starting to be used we ought to * queue this data. * But, this leaves one open to an easy denial of * service attack, and SYN cookies can't defend * against this problem. So, we drop the data * in the interest of security over speed. */ Martin Mačok IT Security Consultant
Current thread:
- Port 7000 (Apple File Share) DoS/DDoS underway, (continued)
- Port 7000 (Apple File Share) DoS/DDoS underway David Gillett (Sep 21)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 22)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Daniel Hanson (Sep 22)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 23)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 22)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Chris Krough (Sep 22)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Chris Krough (Sep 22)
- DoS/DDoS on port 1863(MSN protocol) Diego Sebastián González (Sep 26)
- RE: DoS/DDoS on port 1863(MSN protocol) easternerd (Sep 27)
- Re: DoS/DDoS on port 1863(MSN protocol) Kevin Reardon (Sep 27)
- Re: DoS/DDoS on port 1863(MSN protocol) Tillman Hodgson (Sep 29)
- data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol)) Martin Mačok (Sep 29)
- Port 7000 (Apple File Share) DoS/DDoS underway David Gillett (Sep 21)
- Re: DoS/DDoS on port 1863(MSN protocol) terry white (Sep 27)
- Re: DoS/DDoS on port 1863(MSN protocol) Martin Mačok (Sep 28)