Re: a cheesy Apache / IIS DoS vuln (+a question)
On Thu, Jan 04, 2007 at 12:45:35PM +0100, Pieter de Boer wrote:
> Michal Zalewski wrote:
> > 2) Negotiate a high TCP window size for each of the connections (1 GB
> > should be doable),
> >
> For instance, FreeBSD by default has TCP send buffers set to 32KB. It
> does not (apart from recent work) do dynamic buffer sizing. 32KB is all
> you get. Sysadmins probably raise this value, but, especially with large
> amounts of connections, it can't be set too high or mbufs will run out.
> I'd guess people wouldn't set it to much more than 1MB or such.
Correct. rfc2414 says the initial sender window should be:
min (4*MSS, max (2*MSS, 4380 bytes))
So you can't just connect, request, and drop the connection to get a GB
of traffic. The attacker must send acks periodically.
> Concluding, I think your suggested attack might work, but it would need
> a braindead configuration on the sender's end to be really effective.
> It's probably easier just to send some ACKs now and then..
This is exactly the attack described in CERT Advisory [VU#102014]
(http://www.kb.cert.org/vuls/id/102014)
and:
Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse
Rob Sherwood, Bobby Bhattacharjee, Ryan Braud
Published in Computer and Communications Security (CCS) 2005
(http://www.cs.umd.edu/~capveg/optack/optack-ccs05.pdf)
- Rob Sherwood
.