Re: [tcpm] Is this a problem?

John Heffner <> Tue, 30 October 2007 18:59 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1ImwIz-00077S-H4; Tue, 30 Oct 2007 14:59:13 -0400
Received: from tcpm by with local (Exim 4.43) id 1ImwIx-000776-KZ for; Tue, 30 Oct 2007 14:59:11 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1ImwIx-00076t-AS for; Tue, 30 Oct 2007 14:59:11 -0400
Received: from ([2001:5e8:1:3a::64]) by with esmtp (Exim 4.43) id 1ImwIt-0008Gi-U1 for; Tue, 30 Oct 2007 14:59:11 -0400
Received: from [] ( []) (authenticated bits=0) by (8.14.1/8.13.3) with ESMTP id l9UIwxfN019358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Oct 2007 14:58:59 -0400 (EDT)
Message-ID: <>
Date: Tue, 30 Oct 2007 14:58:58 -0400
From: John Heffner <>
User-Agent: Thunderbird (Macintosh/20070728)
MIME-Version: 1.0
To: Mahesh Jethanandani <>
Subject: Re: [tcpm] Is this a problem?
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -1.4 (-)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Mahesh Jethanandani wrote:
> Folks,
> We have documented a case of HTTP servers that are prone to resource starvation with the use of a small user level program. The program does not require any special privileges or changes in the kernel. The user level program on the client opens a connection to a HTTP server, sends a GET request for a large file (larger than the advertised window of the client) but never reads the response.

This problem has been well documented for at least seven years.

> Three well-known, public sites were tested for this vulnerability. The two most common HTTP servers, Apache and IIS were the target. While one site had put mitigation technique in place, the others had none. With the latter two we were able to hold connections in ESTABLISHED state for days. The former site had a mitigation in place with a fixed timeout of 11 min., which was easy to guess and work around.
> We (the authors) believe that this is a huge problem. What do you folks feel?

I personally believe it is a problem, but the absence of wide-spread 
attacks using this technique leads me to believe that other attacks are 
still more effective.  All the same, I would like to see more widespread 
defense against it.

> Previous responses to this documentation has been that it is a application problem. It is clear from our experimentation that most HTTP servers (and FTP too) have not implemented any mitigation techniques. We believe that this problem exists across the whole range of TCP based applications prevalent on the internet, although our experiments were limited to the web application. Where applications have tried to put mitigation techniques in place, workaround has been easy. This is mainly because applications do not have the same amount of visibility as TCP does on the state of the connection.

I think nearly all responses (including mine) have been of the opinion 
that this is not a transport problem.  However, I think this is not 
necessarily an application problem, either.  Since the contended 
resource is system memory, the best place to implement a fairness policy 
is in the operating system -- possibly but not necessarily in the kernel 
(for OS's where such a distinction applies).


tcpm mailing list