Re: [tcpm] Is this a problem?
MURALI BASHYAM <murali_bashyam@yahoo.com> Fri, 02 November 2007 07:00 UTC
Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1InqWP-0001qs-Tu; Fri, 02 Nov 2007 03:00:49 -0400
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1InqWO-0001oZ-67 for tcpm-confirm+ok@megatron.ietf.org; Fri, 02 Nov 2007 03:00:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1InqWJ-0001kl-CE for tcpm@ietf.org; Fri, 02 Nov 2007 03:00:43 -0400
Received: from web31711.mail.mud.yahoo.com ([68.142.201.191]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1InqWD-0002n4-2k for tcpm@ietf.org; Fri, 02 Nov 2007 03:00:43 -0400
Received: (qmail 59364 invoked by uid 60001); 2 Nov 2007 07:00:23 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=abYEyR69nq22hv+HdAe4IULuV5y1Rl++3t9kAD+7cU/sUKcuXPlYpp0yb9TVKMCg0Cs/WQ5uJnmhbrxsTti411whkzOX9W7yau+TawwD5fsDm7jLbpQpaC/lyO6viN/sMeOD7nTLxY9TfhtLRKlZBuey/+Fha3ZMeWfpIFsjv8w=;
X-YMail-OSG: DYrXJAUVM1l3WC0bMS9L1Xz4OM2_sO0tq2O4Wn7cyrWnAnZDDqm9hwIS.Ih6tmqu8BHlbA05ojytp6Q5EjmV6MfebtmTBO3xW5gM7lCbb62Sn6k-
Received: from [67.161.9.166] by web31711.mail.mud.yahoo.com via HTTP; Fri, 02 Nov 2007 00:00:22 PDT
X-Mailer: YahooMailRC/814.05 YahooMailWebService/0.7.152
Date: Fri, 02 Nov 2007 00:00:22 -0700
From: MURALI BASHYAM <murali_bashyam@yahoo.com>
Subject: Re: [tcpm] Is this a problem?
To: John Heffner <jheffner@psc.edu>, Mahesh Jethanandani <mahesh@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <359024.58790.qm@web31711.mail.mud.yahoo.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b280b4db656c3ca28dd62e5e0b03daa8
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
Clearly there seems to be no consensus on where the problem lies. I've heard that it's not a transport problem, and that the responsibility for mitigating the problem lies with a) sockets API, b) OS, and c) the application. That's as varied a response as one can get... It seems to me that all of these approaches have a key flaw in that they leave the solution to be handled by a proprietary method of defending against the attack. Solving the problem in the transport layer would make the solution a standard one and applicable to environments a) where the standard BSD socket API is not the transport layer interface of choice, b) would work for user space or kernel-less TCP implementations such as TCP proxies and hence would not have to depend on the OS, and c) certainly would not have to be at the mercy of the plethora of TCP based applications out there which have not done anything abt it so far and are making the entire server vulnerable in the process. ----- Original Message ---- From: John Heffner <jheffner@psc.edu> To: Mahesh Jethanandani <mahesh@cisco.com> Cc: tcpm@ietf.org Sent: Tuesday, October 30, 2007 11:58:58 AM Subject: Re: [tcpm] Is this a problem? Mahesh Jethanandani wrote: > Folks, > > We have documented a case of HTTP servers that are prone to resource starvation with the use of a small user level program. The program does not require any special privileges or changes in the kernel. The user level program on the client opens a connection to a HTTP server, sends a GET request for a large file (larger than the advertised window of the client) but never reads the response. This problem has been well documented for at least seven years. http://shlang.com/netkill/ http://shlang.com/netkill/20000421-netkill-bugtraq-announcement.txt > Three well-known, public sites were tested for this vulnerability. The two most common HTTP servers, Apache and IIS were the target. While one site had put mitigation technique in place, the others had none. With the latter two we were able to hold connections in ESTABLISHED state for days. The former site had a mitigation in place with a fixed timeout of 11 min., which was easy to guess and work around. > > We (the authors) believe that this is a huge problem. What do you folks feel? I personally believe it is a problem, but the absence of wide-spread attacks using this technique leads me to believe that other attacks are still more effective. All the same, I would like to see more widespread defense against it. > Previous responses to this documentation has been that it is a application problem. It is clear from our experimentation that most HTTP servers (and FTP too) have not implemented any mitigation techniques. We believe that this problem exists across the whole range of TCP based applications prevalent on the internet, although our experiments were limited to the web application. Where applications have tried to put mitigation techniques in place, workaround has been easy. This is mainly because applications do not have the same amount of visibility as TCP does on the state of the connection. I think nearly all responses (including mine) have been of the opinion that this is not a transport problem. However, I think this is not necessarily an application problem, either. Since the contended resource is system memory, the best place to implement a fairness policy is in the operating system -- possibly but not necessarily in the kernel (for OS's where such a distinction applies). -John _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] Is this a problem? Mahesh Jethanandani
- RE: [tcpm] Is this a problem? Caitlin Bestler
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Mahesh Jethanandani
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Mahesh Jethanandani
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Florian Weimer
- Re: [tcpm] Is this a problem? John Heffner
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? speakeasy
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Ethan Blanton
- Re: [tcpm] Is this a problem? Lloyd Wood
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Ethan Blanton
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Ethan Blanton
- Re: [tcpm] Is this a problem? Mahesh Jethanandani
- Re: [tcpm] Is this a problem? Ethan Blanton
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Mahesh Jethanandani
- Re: [tcpm] Is this a problem? Ted Faber
- RE: [tcpm] Is this a problem? Caitlin Bestler
- Re: [tcpm] Is this a problem? John Heffner
- Re: [tcpm] Is this a problem? Mark Allman
- Re: [tcpm] Is this a problem? Mark Allman
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Mark Allman
- Re: [tcpm] Is this a problem? MURALI BASHYAM
- Re: [tcpm] Is this a problem? Mark Allman
- Re: [tcpm] Is this a problem? Lloyd Wood
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Mark Allman
- Re: [tcpm] Is this a problem? Chandrashekhar Appanna
- Re: [tcpm] Is this a problem? Ethan Blanton
- Re: [tcpm] Is this a problem? Mahesh Jethanandani
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Ethan Blanton
- Re: [tcpm] Is this a problem? Chandrashekhar Appanna
- Re: [tcpm] Is this a problem? Mark Allman
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: [tcpm] Is this a problem? Lloyd Wood
- Re: [tcpm] Is this a problem? Lloyd Wood
- Re: [tcpm] Is this a problem? Joe Touch
- Re: [tcpm] Is this a problem? Lloyd Wood
- Re: [tcpm] Is this a problem? Jakob Heitz
- Re: [tcpm] Is this a problem? Ethan Blanton
- Re: [tcpm] Is this a problem? Chandrashekhar Appanna
- Re: [tcpm] Is this a problem? Ted Faber
- Re: [tcpm] Is this a problem? Ted Faber
- Summary of responses so far and proposal moving f… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Ted Faber
- Re: Summary of responses so far and proposal movi… John Heffner
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Ted Faber
- Re: Summary of responses so far and proposal movi… Mahesh Jethanandani
- Re: Summary of responses so far and proposal movi… Mahesh Jethanandani
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Ted Faber
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Ted Faber
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Ted Faber
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Ted Faber
- Re: Summary of responses so far and proposal movi… Ted Faber
- Re: Summary of responses so far and proposal movi… Joe Touch
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Joe Touch
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Tom Petch
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Joe Touch
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Joe Touch
- RE: Summary of responses so far and proposal movi… Anantha Ramaiah (ananth)
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Mark Allman
- Re: Summary of responses so far and proposal movi… Mark Allman
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Mark Allman
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Mark Allman
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Mark Allman
- Re: Summary of responses so far and proposal movi… John Heffner
- Re: Summary of responses so far and proposal movi… Ted Faber
- Re: Summary of responses so far and proposal movi… Lloyd Wood
- Re: Summary of responses so far and proposal movi… Mahesh Jethanandani
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… Lloyd Wood
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: Summary of responses so far and proposal movi… David Borman
- Re: Summary of responses so far and proposal movi… weddy
- Re: Summary of responses so far and proposal movi… Mahesh Jethanandani
- Re: Summary of responses so far and proposal movi… Mahesh Jethanandani
- Re: Summary of responses so far and proposal movi… Ethan Blanton
- Re: Summary of responses so far and proposal movi… Ethan Blanton
- Re: Summary of responses so far and proposal movi… David Borman
- Re: Summary of responses so far and proposal movi… Mahesh Jethanandani
- Re: Summary of responses so far and proposal movi… Joe Touch
- Re: [tcpm] Is this a problem? Mahesh Jethanandani
- Re: Summary of responses so far and proposal movi… Erik Nordmark