Subject: TCP DOS: out-of-order or silly segments [was Re: tcpdrop for NetBSD]
To: None <>
From: Jonathan Stone <>
List: tech-net
Date: 05/11/2005 13:02:10
In message <>,
Dheeraj S writes:

>Quoting the original author from another BSD from where I stole the idea
>"While working on a fix for a denial of service attack involving out-of-order 
>TCP packets, [...]

Now _that_ sounds interesting and worth having.

Has anyone reviewied the FreeBSD fix for such attacks?  The FreeBSD
fix is readily available as

FreeBSD also has a defense against a broadly similar CPU-exhaustion
DoS attack by sending lots and lots of tiny in-order segments
(FreeBSD-5.2 MFC revisions quoted below).  The FreeBSD-5 change
estimates mean segment size once per second per connection. If the
estimated mean segment-size is tiny and the rate is high, the
connection is aborted.

Anyone else interested in either one?  (Or do we already have them and
my tree is out-of-date?)

--------- begin quoted FreeBSD commit message --------
Andre       2004/01/09 04:32:36 PST

  FreeBSD src repository

  Modified files:        (Branch: RELENG_5_2)
    sys/netinet          ip_icmp.c tcp.h tcp_input.c tcp_usrreq.c 
  MFC: Limiters and sanity checks for TCP MSS resource exhaustion attacks.
  The net.inet.tcp.minmssoverload is set to zero and thus connection drop
  is disabled by default.
  Approved by:    re (scottl)
  Revision   Changes    Path   +4 -2      src/sys/netinet/ip_icmp.c   +19 -1     src/sys/netinet/tcp.h  +60 -0     src/sys/netinet/tcp_input.c   +2 -1      src/sys/netinet/tcp_usrreq.c   +7 -0      src/sys/netinet/tcp_var.h
--------- end quoted FreeBSD commit message --------