Re: [tcpm] Is this a problem?

Florian Weimer <fw@deneb.enyo.de> Tue, 30 October 2007 14:17 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ImruQ-00042m-Si; Tue, 30 Oct 2007 10:17:34 -0400
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1ImruQ-00042h-77 for tcpm-confirm+ok@megatron.ietf.org; Tue, 30 Oct 2007 10:17:34 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ImruP-00042Z-TE for tcpm@ietf.org; Tue, 30 Oct 2007 10:17:33 -0400
Received: from mail.enyo.de ([212.9.189.167]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ImruP-0004wh-FB for tcpm@ietf.org; Tue, 30 Oct 2007 10:17:33 -0400
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1ImrrJ-0002QZ-Av; Tue, 30 Oct 2007 15:14:21 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.68) (envelope-from <fw@deneb.enyo.de>) id 1ImrrH-0004Ie-K0; Tue, 30 Oct 2007 15:14:19 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Mahesh Jethanandani <mahesh@cisco.com>
Subject: Re: [tcpm] Is this a problem?
References: <472654F9.5030308@cisco.com>
Date: Tue, 30 Oct 2007 15:14:19 +0100
In-Reply-To: <472654F9.5030308@cisco.com> (Mahesh Jethanandani's message of "Mon, 29 Oct 2007 14:47:37 -0700")
Message-ID: <873avsvgec.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

* Mahesh Jethanandani:

> Three well-known, public sites were tested for this vulnerability. The
> two most common HTTP servers, Apache and IIS were the target. While
> one site had put mitigation technique in place, the others had
> none. With the latter two we were able to hold connections in
> ESTABLISHED state for days. The former site had a mitigation in place
> with a fixed timeout of 11 min., which was easy to guess and work
> around.
>
> We (the authors) believe that this is a huge problem. What do you
> folks feel?

It's a problem, but not at the TCP layer.

SSH connections, for instance, can legitimately last for days in
ESTABLISHED state without any traffic being exchanged.

For HTTP, it may be helpful to have some kind of information regarding
the TCP state to mitigate the DoS potential, but I fear that it's too
easily manipulated by the attacker to be useful.  Even if it's not, it's
really a sockets API issue.


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm