Date: Mon, 9 Jul 2001 17:12:29 -0700 From: "Crist J. Clark" <cclark@globalstar.com> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: Dragos Ruiu <dr@kyx.net>, Mike Silbersack <silby@silby.com>, cjclark@alum.mit.edu, Yonatan Bokovza <Yonatan@xpert.com>, "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: FW: Small TCP packets == very large overhead == DoS? Message-ID: <20010709171229.D87064@sec-tools.corp.globalstar.com> In-Reply-To: <200107090855.SAA12298@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Mon, Jul 09, 2001 at 06:55:44PM %2B1000 References: <0107082333531I.08020@smp.kyx.net> <200107090855.SAA12298@caligula.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 09, 2001 at 06:55:44PM +1000, Darren Reed wrote:
[snip]
> MSS is the largest fragment the OS will send. It could send smaller ones
> than the MSS value but that'd be inefficient. Larger ones are not going
> to be well received, if at all.
OK, it may just be that I have been looking at this too long
but... Doesn't following seem wrong?
16:23:09.673022 172.18.113.26.4648 > AAA.BBB.CCC.106.80: S 3084535793:3084535793(0) win 16384 <mss 1460> (DF) (ttl 64, id 63179)
16:23:09.673782 AAA.BBB.CCC.106.80 > 172.18.113.26.4648: S 1140257897:1140257897(0) ack 3084535794 win 8760 <mss 1460> (DF) (ttl 254, id 42862)
OK, both sides only want 1460 bytes as the maximum segment size,
right? But then a few packets later in this connection,
16:23:09.679401 AAA.BBB.CCC.106.80 > 172.18.113.26.4648: . 584:2044(1460) ack 310 win 8760 (DF) (ttl 254, id 42866)
0x0000 4500 05dc a772 4000 fe06 48b9 AABB CC6a E....r@...H..X.j
0x0010 ac12 711a 0050 1228 43f6 f6b1 b7da 4927 ..q..P.(C.....I'
0x0020 5010 2238 3084 0000 0a3c 5343 5249 5054 P."80....<SCRIPT
0x0030 204c 414e 4755 4147 453d 224a 6176 6153 .LANGUAGE="JavaS
0x0040 6372 6970 7422 3e0a 0a3c 212d 2d0a 0a69 cript">..<!--..i
0x0050 6620 f.
Now the total datagram length is 1500 (0x05dc) bytes, and the IP
header is 20 (5x4) bytes. That means that the TCP segment is 1480
bytes long, no? Yes, the data portion of the segment is 1460 bytes,
but the whole segment is 1480. From my reading of the STD, the MSS is
the _whole_ segment size, not the data portion of the segment... Or
maybe it's not? The RFC also says,
segment length
The amount of sequence number space occupied by a segment,
including any controls which occupy sequence space.
Which uses the term "length." However, the definition of MSS only
talks about "size," and there is no indication I find that "size" and
"length" are the same thing.
So either all of the TCP implementations I can find are wrong and seem
to believe MSS is the maximum data length within a segment as opposed
to the actual segment size, or I am wrong.
I figure it's me, but I'm not sure where.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact postmaster@globalstar.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010709171229.D87064>