[ILUG] Re: [Q] Max number of TCP(?) packets without waiting for
an ACK(?)
paul at clubi.ie
paul at clubi.ie
Thu Dec 11 18:18:00 GMT 2008
On Thu, 11 Dec 2008, Gavin McCullagh wrote:
> I'd be curious to know what attack is being defended against and what it's
> doing though. Is it just dropping the connection?
Probably no specific attack. Firewall writers consider the "be
liberal" part of Postel's principle as antithetical to security (e.g.
even the BSD people managed to screw up with the CWND thing a few
years ago). Even when firewalls ship with these insane "Validate to
the max!" options disabled, administrators often go enable them -
cause if it was a bad idea, then it wouldn't be there as an option,
now would it?
;)
> I doubt Brian's issue has much to do with that attack, it just reminded me
> of it a little.
Sure. Just giving Brian ammo to respond with if the admin happens to
mention bandwidth-consuming attacks ;).
> Some debate has gone on over how best to deal with it.
>
> http://www.archivum.info/tcpm@ietf.org/2007-01/msg00034.html
Very interesting, thanks.
It seems this is more a fundamental characteristic of
request/response traffic patterns on the internet though, rather than
a problem specifically in TCP..
I.e. you can fix the more pathological aspects of this infinite CWND
increase, but still the general answer is to drop packets on routers
as cleverly as reasonably possible.
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
Publishing a volume of verse is like dropping a rose petal down the
Grand Canyon and waiting for the echo.
More information about the ILUG
mailing list