Re: [tcpm] Is this a problem?

MURALI BASHYAM <murali_bashyam@yahoo.com> Fri, 02 November 2007 07:00 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1InqWP-0001qs-Tu; Fri, 02 Nov 2007 03:00:49 -0400
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1InqWO-0001oZ-67 for tcpm-confirm+ok@megatron.ietf.org; Fri, 02 Nov 2007 03:00:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1InqWJ-0001kl-CE for tcpm@ietf.org; Fri, 02 Nov 2007 03:00:43 -0400
Received: from web31711.mail.mud.yahoo.com ([68.142.201.191]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1InqWD-0002n4-2k for tcpm@ietf.org; Fri, 02 Nov 2007 03:00:43 -0400
Received: (qmail 59364 invoked by uid 60001); 2 Nov 2007 07:00:23 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=abYEyR69nq22hv+HdAe4IULuV5y1Rl++3t9kAD+7cU/sUKcuXPlYpp0yb9TVKMCg0Cs/WQ5uJnmhbrxsTti411whkzOX9W7yau+TawwD5fsDm7jLbpQpaC/lyO6viN/sMeOD7nTLxY9TfhtLRKlZBuey/+Fha3ZMeWfpIFsjv8w=;
X-YMail-OSG: DYrXJAUVM1l3WC0bMS9L1Xz4OM2_sO0tq2O4Wn7cyrWnAnZDDqm9hwIS.Ih6tmqu8BHlbA05ojytp6Q5EjmV6MfebtmTBO3xW5gM7lCbb62Sn6k-
Received: from [67.161.9.166] by web31711.mail.mud.yahoo.com via HTTP; Fri, 02 Nov 2007 00:00:22 PDT
X-Mailer: YahooMailRC/814.05 YahooMailWebService/0.7.152
Date: Fri, 2 Nov 2007 00:00:22 -0700 (PDT)
From: MURALI BASHYAM <murali_bashyam@yahoo.com>
Subject: Re: [tcpm] Is this a problem?
To: John Heffner <jheffner@psc.edu>, Mahesh Jethanandani <mahesh@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <359024.58790.qm@web31711.mail.mud.yahoo.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b280b4db656c3ca28dd62e5e0b03daa8
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

Clearly there seems to be no consensus on where the problem lies.  I've heard that it's not a transport problem, and that the responsibility for mitigating the problem lies with a) sockets API, b) OS, and
c) the application. That's as varied a response as one can get...

It seems to me that all of these approaches have a key flaw in that they leave the solution to be handled by a proprietary method of defending against the attack. Solving the problem in the transport layer would make the solution a standard one and applicable to environments a) where the standard BSD socket API is not the transport layer interface of choice, b) would work for user space or kernel-less TCP implementations such as TCP proxies and hence would not have to depend on the OS, and c) certainly would not have to be at the mercy of the plethora of TCP based applications out there which have not done anything abt it so far and are making the entire server vulnerable in the process.


----- Original Message ----
From: John Heffner <jheffner@psc.edu>
To: Mahesh Jethanandani <mahesh@cisco.com>
Cc: tcpm@ietf.org
Sent: Tuesday, October 30, 2007 11:58:58 AM
Subject: Re: [tcpm] Is this a problem?


Mahesh Jethanandani wrote:
> Folks,
> 
> We have documented a case of HTTP servers that are prone to resource
 starvation with the use of a small user level program. The program does
 not require any special privileges or changes in the kernel. The user
 level program on the client opens a connection to a HTTP server, sends
 a GET request for a large file (larger than the advertised window of
 the client) but never reads the response.

This problem has been well documented for at least seven years.
http://shlang.com/netkill/
http://shlang.com/netkill/20000421-netkill-bugtraq-announcement.txt


> Three well-known, public sites were tested for this vulnerability.
 The two most common HTTP servers, Apache and IIS were the target. While
 one site had put mitigation technique in place, the others had none.
 With the latter two we were able to hold connections in ESTABLISHED state
 for days. The former site had a mitigation in place with a fixed
 timeout of 11 min., which was easy to guess and work around.
> 
> We (the authors) believe that this is a huge problem. What do you
 folks feel?

I personally believe it is a problem, but the absence of wide-spread 
attacks using this technique leads me to believe that other attacks are
 
still more effective.  All the same, I would like to see more
 widespread 
defense against it.


> Previous responses to this documentation has been that it is a
 application problem. It is clear from our experimentation that most HTTP
 servers (and FTP too) have not implemented any mitigation techniques. We
 believe that this problem exists across the whole range of TCP based
 applications prevalent on the internet, although our experiments were
 limited to the web application. Where applications have tried to put
 mitigation techniques in place, workaround has been easy. This is mainly
 because applications do not have the same amount of visibility as TCP does
 on the state of the connection.

I think nearly all responses (including mine) have been of the opinion 
that this is not a transport problem.  However, I think this is not 
necessarily an application problem, either.  Since the contended 
resource is system memory, the best place to implement a fairness
 policy 
is in the operating system -- possibly but not necessarily in the
 kernel 
(for OS's where such a distinction applies).

   -John


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm