Re: [tcpm] New I-D (draft-mahesh-persist-timeout-00.txt)

MURALI BASHYAM <murali_bashyam@yahoo.com> Wed, 14 February 2007 08:14 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HHFHR-0001QV-FW; Wed, 14 Feb 2007 03:14:21 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HHFHP-0001QG-RE for tcpm@ietf.org; Wed, 14 Feb 2007 03:14:19 -0500
Received: from web31708.mail.mud.yahoo.com ([68.142.201.188]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1HHFHO-0003Mc-GI for tcpm@ietf.org; Wed, 14 Feb 2007 03:14:19 -0500
Received: (qmail 1904 invoked by uid 60001); 14 Feb 2007 08:14:17 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=Behm2+s3NJQWc+O6xbsRam522ACq0kQ2RLa7eW7662e7a5R9ZkbSyUirtbSU8mmySHmARAJ6vru7nTcXc26T4mc6rSl2/65MlYXDWAxoFwTBWCDZWRwhgR+owTcpbDJkgF3T55t4b0Zi7R1jtCU6wBKsf7rHyZQxODNMjYkxORY=;
X-YMail-OSG: 5VYYax8VM1ly8j65Cl0aZkCdDdEM_X1xldD0K6sulqPcy9pWO.WnAwyabWa4fq5xs4B5wrUK6qJlQ3exw2V8aTAxZZhVnpHudF6SzxP_yya2Lral.jw10Sz01oQB58KteuGSromqY4c-
Received: from [24.6.27.26] by web31708.mail.mud.yahoo.com via HTTP; Wed, 14 Feb 2007 00:14:17 PST
Date: Wed, 14 Feb 2007 00:14:17 -0800 (PST)
From: MURALI BASHYAM <murali_bashyam@yahoo.com>
Subject: Re: [tcpm] New I-D (draft-mahesh-persist-timeout-00.txt)
To: Fernando Gont <fernando@gont.com.ar>, Mahesh Jethanandani <mahesh@cisco.com>
In-Reply-To: <200702140801.l1E81fPQ019857@venus.xmundo.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <864148.91659.qm@web31708.mail.mud.yahoo.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

Good point.

This particular behaviour can be detected quite easily
when compared to a well-behaved receiver. A
well-behaved TCP receiver will do receive side silly
window avoidance, and would only advertise a window
increase when at least a MSS worth of buffer space is
available (typically). 

Murali

--- Fernando Gont <fernando@gont.com.ar> wrote:

> At 03:24 p.m. 13/02/2007, you wrote:
> 
> Comments inline....
> 
> 
> >A new I-D has been posted on the IETF web site.
> >
>
><http://www.ietf.org/internet-drafts/draft-mahesh-persist-timeout-00.txt>http://www.ietf.org/internet-drafts/draft-mahesh-persist-timeout-00.txt
> >"TCP Maintenance and Minor Extensions", Mahesh
> Jethanandani, Murali 
> >Bashyam, 9-Feb-07,
> <draft-mahesh-persist-timeout-00.txt> Comments are
> welcome.
> 
> What if I advertise a window of 1, instead?
> 
> Or, what if I advertise a window of zero, then
> before you abort the 
> connection I advertise a window of a few bytes, and
> then I go back to 
> advertising a window of zero (and so on)?
> 
> I think it is interesting to find a workaround for
> this type of 
> resource exhaustion attack (as well as for Netkill,
> etc.).
> 
> However, I think the heuristics will need to be more
> complex. If not, 
> it will be easy (and cheap) for the attacker to fool
> the proposed 
> counter-measures. (the examples above are some
> possible ways to do so).
> 
> Kindest regards,
> 
> -- 
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE
> A9EF D076 FFF1
> 
> 
> 
> 
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www1.ietf.org/mailman/listinfo/tcpm
> 



 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time 
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm