On Thu, Jan 04, 2007 at 12:45:35PM +0100, Pieter de Boer wrote: > Michal Zalewski wrote: > > 2) Negotiate a high TCP window size for each of the connections (1 GB > > should be doable), > > > For instance, FreeBSD by default has TCP send buffers set to 32KB. It > does not (apart from recent work) do dynamic buffer sizing. 32KB is all > you get. Sysadmins probably raise this value, but, especially with large > amounts of connections, it can't be set too high or mbufs will run out. > I'd guess people wouldn't set it to much more than 1MB or such. Correct. rfc2414 says the initial sender window should be: min (4*MSS, max (2*MSS, 4380 bytes)) So you can't just connect, request, and drop the connection to get a GB of traffic. The attacker must send acks periodically. > Concluding, I think your suggested attack might work, but it would need > a braindead configuration on the sender's end to be really effective. > It's probably easier just to send some ACKs now and then.. This is exactly the attack described in CERT Advisory [VU#102014] (http://www.kb.cert.org/vuls/id/102014) and: Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse Rob Sherwood, Bobby Bhattacharjee, Ryan Braud Published in Computer and Communications Security (CCS) 2005 (http://www.cs.umd.edu/~capveg/optack/optack-ccs05.pdf) - Rob Sherwood .