data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol))

[Martin Mačok <martin.macok () underground cz>]

On Mon, Sep 27, 2004 at 05:00:22PM -0600, Tillman Hodgson wrote:

> Data certainly can appear in SYN packets.
>
> RFC 793 section 3.4 allows data in SYN packets, saying ``this is
> perfectly legitimate, so long as the receiving TCP doesn't deliver the
> data to the user until it is clear the data is valid (i.e., the data
> must be buffered at the receiver until the connection reaches the
> ESTABLISHED state)''.

But the reality is different. Such payload will be ignored on some stacks,
rejected by others and accepted by the rest.

Comments from linux-2.4/net/ipv4/tcp_input.c:tcp_rcv_state_process() puts some
light on it:

[socket in TCP_LISTEN state, receiving SYN packet]

    /* Now we have several options: In theory there is
     * nothing else in the frame. KA9Q has an option to
     * send data with the syn, BSD accepts data with the
     * syn up to the [to be] advertised window and
     * Solaris 2.1 gives you a protocol error. For now
     * we just ignore it, that fits the spec precisely
     * and avoids incompatibilities. It would be nice in
     * future to drop through and process the data.
     *
     * Now that TTCP is starting to be used we ought to
     * queue this data.
     * But, this leaves one open to an easy denial of
     * service attack, and SYN cookies can't defend
     * against this problem. So, we drop the data
     * in the interest of security over speed.
     */


Martin Mačok
IT Security Consultant