North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: TCP receive window set to 0; DoS or not?

  • From: Jim Shankland
  • Date: Fri Sep 08 02:32:46 2006

Richard A Steenbergen <[email protected]> writes:
> Advertising a window of 0 is a perfectly valid way of telling the other
> side that you are temporarily out of resoruces, and would like them to
> stop sending you data....

Except that that's not what's going on here.  This message appears
when the TCP peer shrinks the window, withdrawing a previously granted
permission to send bytes -- a protocol violation.  For example, you're
free to tell me (with your window advertisement) that you're
authorizing me to send you 32K bytes, and then, after I've sent you
32K bytes, to close the window until you're ready to accept more.
You're not free to tell me it's OK to send 32K bytes, then change your
mind and advertise a window size of 0 after I've sent you only 16K

To address the "DoS" question, I don't see how this protocol violation
enables a DoS attack.  More likely, it's simply somebody's buggy
TCP stack misbehaving.  That "somebody" is unlikely to be Windows, MacOS,
FreeBSD, or Linux.  My money is on some flavor of $50 NAT/"home router"

Jim Shankland