Home page logo
/

dailydave logo Dailydave mailing list archives

Re: TCP Resource Exhaustion DoS Attack Speculation
From: "Dave Korn" <dave.korn () artimi com>
Date: Wed, 8 Oct 2008 10:30:35 +0100

Fyodor wrote on 02 October 2008 11:57:

if I figure out or independently discover an issue.  There was lots of
speculation on DailyDave about the DNS flaws, and I think I've figured
out this "new" vulnerability.  The vague description and symptoms
match those for a DoS tool (Ndos) I wrote and used years ago.

I just posted a detailed description of the problem and its
implications here:

http://insecure.org/stf/tcp-dos-attack-explained.html

  Interesting idea, but I think that's not it.  I think they're leaving the
sockets on the victim in a closing state, either TIME_WAIT or CLOSE_WAIT, and
I think they're manipulating the victim stack to prolong this state to
arbitrary (ridiculously long, maybe years) durations, probably by playing
games with sACKs or maybe PAWS, or by misleading the RTT measurements into
coming out with silly values.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault