Re: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02

"Caitlin Bestler" <> Thu, 27 March 2008 23:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 042353A6ADE; Thu, 27 Mar 2008 16:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -98.379
X-Spam-Status: No, score=-98.379 tagged_above=-999 required=5 tests=[AWL=-0.540, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OLIn7bk8gkVt; Thu, 27 Mar 2008 16:20:04 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id E3DED3A6A77; Thu, 27 Mar 2008 16:20:04 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id F3E333A6823 for <>; Thu, 27 Mar 2008 16:20:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2AhfSZ+o-2BZ for <>; Thu, 27 Mar 2008 16:20:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id EAB6C3A68A3 for <>; Thu, 27 Mar 2008 16:20:02 -0700 (PDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 27 Mar 2008 19:14:44 -0400
Message-ID: <78C9135A3D2ECE4B8162EBDCE82CAD77034431B9@nekter>
In-Reply-To: <>
Thread-Topic: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02
Thread-Index: AciPf5gS+2RvtEj9Q+2GCdJyj8RHWwA3aO6A
References: <> <><78C9135A3D2ECE4B8162EBDCE82CAD7703442C8F@nekter><> <>
From: "Caitlin Bestler" <>
To: "Rob Sherwood" <>, "Jakob Heitz" <>
Subject: Re: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

> -----Original Message-----
> From: [] On Behalf
> Rob Sherwood
> Sent: Wednesday, March 26, 2008 1:25 PM
> To: Jakob Heitz
> Cc:
> Subject: Re: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02
> On Wed, Mar 26, 2008 at 01:05:27PM -0700, Jakob Heitz wrote:
> > Intentionally dropping segments at the sender
> > has an unacceptable negative impact on honest
> > connections. No wonder this never flew.
> My experiments have show this to be a <0.01% impact on perfomance and
> no impact on correctness.  You might argue that my experiments do not
> have a wide deployment and might depend on network conditions, but I
> don't know why you say the solution is "unacceptable".

As a *test* described in an informational RFC there is no real 
problem with it. As a routine counter-measure it would have
severe problems.

On very high speed links the NIC and/or driver has very little
choice but to implement one or more strategies to reduce the number
of interactions with the TCP consumer. Delivering each TCP segment
as soon as it is deliverable is not a viable option.

These techniques could include interrupt coalescing, Large Receive
Offload, TCP offload and others. Large Receive Offload in particular
will be negatively impacted whenever the TCP sender does not faithfully
send entire  messages in order and as promptly as the TCP congestion
control algorithms expect. LRO seeks to reduce the number of distinct
notifications required to deliver a sequence of TCP Segments for the
same connection, but in a manner that minimizes latency delays.

When a gap indicates a lost packet the answer is simple, aggregate
what you have and deliver it. When a gap really means that the sender
is testing you then you still aggregate what you have and deliver it.
And then deliver the deliberately mis-ordered segment separately.

So the issue is not just the memory resources, but the number of
distinct inter-layer notifications required, the number of times
that a context switch between TCBs is required and the number of
times a user context is switched. These all have a negative impact
on not only memory usage, but memory bandwidth and cache efficiency.

Indeed, if a sender engaged in deliberate TCP segment misordering
on a regular basis it could be considered a Denial-of-service attack.

This is something that can very easily be solved at the application
layer, by simply requiring the application layer to periodically
echo an application layer cookie back to the sender. A trivial AJAX
script could handle this without a single change to the TCP layer.
Using timestamps would also probably work. And if the client was
unwilling to provide these echoes, just limit the bandwidth that
you will provide to them.

As for the "network" implications, this attack is a very poor 
candidate for a successful DoS attack because it requires the
attacker to saturate a link that actually leads to them. The
pattern of the attack would be easily detected, and once detected
the destination IP address is easily traceable.

Work in the IEEE's Data Center Bridging task group should lead to 
reduction or elimination of congestion drops within IP subnets.
That means that TCP handling optimizations in NICs, drivers or
TCP stacks that expect in-order delivery will be even more effective.

The NICs and Bridges supporting these techniques will be going through
a lot of extra work to provide largely lossless and in-order delivery
of TCP segments. Deliberately sending them in the wrong order borders
on being ungrateful.

tcpm mailing list