Re: [tcpm] New I-D

John Heffner <> Wed, 21 February 2007 22:38 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1HK067-00027x-El; Wed, 21 Feb 2007 17:38:03 -0500
Received: from [] ( by with esmtp (Exim 4.43) id 1HK066-0001we-9q for; Wed, 21 Feb 2007 17:38:02 -0500
Received: from ([]) by with esmtp (Exim 4.43) id 1HK061-0007oA-Up for; Wed, 21 Feb 2007 17:38:02 -0500
Received: from [] ( []) (authenticated bits=0) by (8.13.8/8.13.3) with ESMTP id l1LMbnRl013562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Feb 2007 17:37:50 -0500 (EST)
Message-ID: <>
Date: Wed, 21 Feb 2007 17:37:47 -0500
From: John Heffner <>
User-Agent: Thunderbird (Macintosh/20061207)
MIME-Version: 1.0
Subject: Re: [tcpm] New I-D
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2409bba43e9c8d580670fda8b695204a
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

I think I agree with Wes, David and Mark that this is more of an OS than 
a protocol issue (if I'm characterizing their comments correctly), and 
Fernando that the approach is not powerful enough to solve the broader 
problem when viewed as an attack.

To expand a bit, I had a hallway conversation a couple years ago with 
Stanislav Shalunov about his netkill [1] attack, and more generally 
about contention for send buffer memory.  (I think the problem you're 
addressing falls precisely into this broader category.)  What I took 
away from this (Stas may or may not agree) is that since the resource 
contention occurs at the operating system level (competing for scarce 
kernel memory), that is the right place to arbitrate the contention. 
Each host may want to apply a different policy based on what it 
considers important.

As proof of concept, I wrote up a simple script (I think only about 30 
lines of python) that used the TCP ESTATS MIB to monitor connections, 
and kill off ones making no progress while consuming the most memory. 
This proved an effective defense against netkill, and I think would 
solve the problem described in the draft as well.  It would be easy 
enough to write a kernel thread to do the same if the system doesn't do 



tcpm mailing list