Re: Summary of responses so far and proposal moving forward[WasRe: [tcpm] Is this a problem?]

Mahesh Jethanandani <mahesh@cisco.com> Tue, 27 November 2007 21:56 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ix8QL-0000Ak-4t; Tue, 27 Nov 2007 16:56:57 -0500
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1Ix8QJ-0000AH-Vj for tcpm-confirm+ok@megatron.ietf.org; Tue, 27 Nov 2007 16:56:55 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ix8QJ-0000A6-Gy for tcpm@ietf.org; Tue, 27 Nov 2007 16:56:55 -0500
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ix8QH-00085o-TV for tcpm@ietf.org; Tue, 27 Nov 2007 16:56:55 -0500
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 27 Nov 2007 13:56:53 -0800
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id lARLuroW009628; Tue, 27 Nov 2007 13:56:53 -0800
Received: from [171.69.75.93] (dhcp-171-69-75-93.cisco.com [171.69.75.93]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id lARLur1f009526; Tue, 27 Nov 2007 21:56:53 GMT
Message-ID: <474C92A5.7070208@cisco.com>
Date: Tue, 27 Nov 2007 13:56:53 -0800
From: Mahesh Jethanandani <mahesh@cisco.com>
Organization: Cisco Systems Inc.
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
Subject: Re: Summary of responses so far and proposal moving forward[WasRe: [tcpm] Is this a problem?]
References: <20071126161259.29EFA2FC343@lawyers.icir.org> <474AF34B.40805@isi.edu> <474B3C35.30207@cisco.com> <474B935E.4040207@isi.edu>
In-Reply-To: <474B935E.4040207@isi.edu>
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2583; t=1196200613; x=1197064613; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mahesh@cisco.com; z=From:=20Mahesh=20Jethanandani=20<mahesh@cisco.com> |Subject:=20Re=3A=20Summary=20of=20responses=20so=20far=20and=20proposal= 20moving=20forward[WasRe=3A=0A=20[tcpm]=20Is=20this=20a=20problem?] |Sender:=20; bh=s7DjzkpKA9VfcN81b28l5Cd36YeRolopMY0qYhzQm34=; b=iUruYdykA2j3Au3/OZLVccDDId7KGNIRXQnJqWXyGtaRhdNNl1cLHoZ4Jjpms5agq2H/nC7S lQR8/2hNBD9eFcf7VXozfCzUJof5KLbjxA2p6j4Nv+I6AZApw3OCoKZq;
Authentication-Results: sj-dkim-3; header.From=mahesh@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 6cca30437e2d04f45110f2ff8dc1b1d5
Cc: tcpm@ietf.org, mallman@icir.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0916968574=="
Errors-To: tcpm-bounces@ietf.org


Joe Touch wrote:
> Mahesh Jethanandani wrote:
>   
>> Joe Touch wrote:
>>     
>>> Note also that DOS attacks would likely not keep TCP connections around
>>> with zero windows AND continue to ACK - they'd stop ACKing, the
>>> connection would drop for *that* reason, and be recovered.
>>>       
>> Quite the contrary. Our experimentation revealed that DoS attackers
>> responded reliably with an ACK to all zero window probes and that
>> connections stayed in established state for days.
>>     
>
> OK - so how do you know these were attacks? Or are you calling any
> consumption of resources you don't expect an attack
They were attacks because we had initiated them as such.

The point is that (and you seemed to have accepted it by saying ok) that 
you cannot rely on the attacker giving up and going away to free the 
resources.
-- 
/mahesh
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm