Re: [tcpm] Is this a problem?

Mahesh Jethanandani <> Wed, 28 November 2007 19:06 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IxSF9-0005rc-81; Wed, 28 Nov 2007 14:06:43 -0500
Received: from tcpm by with local (Exim 4.43) id 1IxSF7-0005pz-MT for; Wed, 28 Nov 2007 14:06:41 -0500
Received: from [] ( by with esmtp (Exim 4.43) id 1IxSF7-0005oj-Bf for; Wed, 28 Nov 2007 14:06:41 -0500
Received: from ([] by with esmtp (Exim 4.43) id 1IxSF6-0003CL-SF for; Wed, 28 Nov 2007 14:06:41 -0500
Received: from ([]) by with ESMTP; 28 Nov 2007 11:06:40 -0800
Received: from ( []) by (8.12.11/8.12.11) with ESMTP id lASJ6eg1027543; Wed, 28 Nov 2007 11:06:40 -0800
Received: from [] ( []) by (8.12.10/8.12.6) with ESMTP id lASJ6dgK023726; Wed, 28 Nov 2007 19:06:40 GMT
Message-ID: <>
Date: Wed, 28 Nov 2007 11:06:41 -0800
From: Mahesh Jethanandani <>
Organization: Cisco Systems Inc.
User-Agent: Thunderbird (Windows/20071031)
MIME-Version: 1.0
To: John Heffner <>
Subject: Re: [tcpm] Is this a problem?
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1992; t=1196276800; x=1197140800; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20Mahesh=20Jethanandani=20<> |Subject:=20Re=3A=20[tcpm]=20Is=20this=20a=20problem? |Sender:=20; bh=GDQTmF6HOsJ/YmGhi1oT6OA3aSOhj1JVhdOOtNbmBiw=; b=CpPwMT6ISlFeSKHFMJ4YmZFW/Av43VyKhtNxCbD+bDqb6gOPX1dsqwjfFeha+LkIzmOcUXFW p5NftQ/1c8qa81RCpvlYuUGB7DeQshvsOjrkuLcEdVZMoM8nV8NSjChS;
Authentication-Results: sj-dkim-3;; dkim=pass ( sig from verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

John Heffner wrote:
> It's actually an easy and generally more effective attack to just drop 
> all the packets on the floor rather than continue ACKing with zero 
> window.  The connection will eventually time out, but it takes so 
> long, it's easy to initiate another one in this time to take its 
> place.  Once again, please look carefully at Stas's netkill: 
> <>.  It's a simple short perl script.  The 
> defense you are proposing does nothing for this attack.
That is true. The attack is very similar to the one we describe. It 
applies to a different state in TCP - FIN_WAIT_1. I would suggest that 
your attack is not just a "mbuf exhaustion" but also a TCP connection 
resource attack. It is possible to run either or both of them out. The 
defense we propose is specifically for connections in persist condition. 
We found it more tricky to simulate the situation you describe because 
it required the amount of data requested to fit in the receiver 
advertised window. In addition, it does have a timeout (albeit a long 
one) and requires more active clients to attack the server. However ...
> I don't think it's critical to determine whether a connection is 
> stalled while limited by cwnd or rwin.  This *may* be useful 
> information, but it's not the most important.  In my view, the more 
> important thing to know is (1) whether the connection is making 
> progress, and (2) how much memory (the contended resource) it is 
> using.   Using this information, you can implement a policy that 
> resets connections that are consuming resources with no benefit 
> (progress).  This solves the more general problem -- both the netkill 
> attack and a persist attack.
... our solution keeps track of connections that are in persist 
condition and keeps track of connections that are not making progress 
and consuming memory. The framework of the solution is amenable to 
include connections in FIN_WAIT_1 state.

tcpm mailing list