Re: [tcpm] TCP zero window timeout?

Fernando Gont <> Sat, 26 August 2006 11:25 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1GGwIB-0001ve-D8; Sat, 26 Aug 2006 07:25:35 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1GGwIA-0001vZ-Bh for; Sat, 26 Aug 2006 07:25:34 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1GGwI8-00087F-Gu for; Sat, 26 Aug 2006 07:25:34 -0400
Received: from ( []) by (Postfix) with ESMTP id 2D4CBF0C66D; Sat, 26 Aug 2006 08:25:42 -0300 (ART)
Received: from ([]) (authenticated bits=0) by (8.12.11/8.12.11) with ESMTP id k7QBOssi012924; Sat, 26 Aug 2006 08:25:12 -0300
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Sat, 26 Aug 2006 07:13:56 -0300
To: Mahesh Jethanandani <>, "Mahdavi, Jamshid" <>
From: Fernando Gont <>
Subject: Re: [tcpm] TCP zero window timeout?
In-Reply-To: <>
References: <> <> <>
Mime-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 10d3e4e3c32e363f129e380e644649be
Cc:, "Anantha Ramaiah (ananth)" <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============0038452873=="

At 21:00 25/08/2006, Mahesh Jethanandani wrote:

>The situation I was referring to is a little different and applies 
>to persist timer. In our situation the client stops reading data. 
>These clients are machines out in the Internet and as such the 
>server has no control over their behavior. So while there is 
>unacknowledged data, it is not that the client is not acking any 
>data. It is responding to the probe but that it continuously 
>advertises a window of zero.  There is currently to my knowledge no 
>timeout for this state for the server. This can manifest itself as a 
>DOS situation if there are several such connections where the server 
>is forced to hold data.

I'd argue that this should be handled by an application-level timer.

The problem with the scenario you point out is that there will always 
be one more way to do the same thing.

If we're talking about connections wasting resources, there are many 
protocols (POP3, SMTP) in which after the initial greeting by the 
server, the client is supposed to go ahead. In all those cases, the 
client could just sit there. And only an application-layer timeout 
would help you.

I'm not sure how many servers implement this type of 
application-layer timer. But there are some (Apache) that I have 
checked, and do.

Nevertheless, I'm interested in the behaviour you described. Is it 
supposed to be malicious activity?

Kindest regards,

Fernando Gont
e-mail: ||
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

tcpm mailing list