Date: Tue, 10 Jul 2001 10:39:25 +1000 (Australia/ACT)
From: Darren Reed <avalon@coombs.anu.edu.au>
To: cclark@globalstar.com (Crist J. Clark)
Cc: avalon@coombs.anu.edu.au (Darren Reed), dr@kyx.net (Dragos Ruiu), silby@silby.com (Mike Silbersack), cjclark@alum.mit.edu, Yonatan@xpert.com (Yonatan Bokovza), freebsd-security@FreeBSD.ORG ('freebsd-security@freebsd.org')
Subject: Re: FW: Small TCP packets == very large overhead == DoS?
Message-ID: <200107100039.KAA06761@caligula.anu.edu.au>
In-Reply-To: <20010709171229.D87064@sec-tools.corp.globalstar.com> from "Crist J. Clark" at Jul 09, 2001 05:12:29 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Crist J. Clark, sie said: > > On Mon, Jul 09, 2001 at 06:55:44PM +1000, Darren Reed wrote: > > [snip] > > > MSS is the largest fragment the OS will send. It could send smaller ones > > than the MSS value but that'd be inefficient. Larger ones are not going > > to be well received, if at all. > > OK, it may just be that I have been looking at this too long > but... Doesn't following seem wrong? > > 16:23:09.673022 172.18.113.26.4648 > AAA.BBB.CCC.106.80: S 3084535793:3084535793(0) win 16384 <mss 1460> (DF) (ttl 64, id 63179) > 16:23:09.673782 AAA.BBB.CCC.106.80 > 172.18.113.26.4648: S 1140257897:1140257897(0) ack 3084535794 win 8760 <mss 1460> (DF) (ttl 254, id 42862) > > OK, both sides only want 1460 bytes as the maximum segment size, > right? But then a few packets later in this connection, > > 16:23:09.679401 AAA.BBB.CCC.106.80 > 172.18.113.26.4648: . 584:2044(1460) ack 310 win 8760 (DF) (ttl 254, id 42866) > 0x0000 4500 05dc a772 4000 fe06 48b9 AABB CC6a E....r@...H..X.j > 0x0010 ac12 711a 0050 1228 43f6 f6b1 b7da 4927 ..q..P.(C.....I' > 0x0020 5010 2238 3084 0000 0a3c 5343 5249 5054 P."80....<SCRIPT > 0x0030 204c 414e 4755 4147 453d 224a 6176 6153 .LANGUAGE="JavaS > 0x0040 6372 6970 7422 3e0a 0a3c 212d 2d0a 0a69 cript">..<!--..i > 0x0050 6620 f. > > Now the total datagram length is 1500 (0x05dc) bytes, and the IP > header is 20 (5x4) bytes. That means that the TCP segment is 1480 > bytes long, no? Yes, the data portion of the segment is 1460 bytes, > but the whole segment is 1480. From my reading of the STD, the MSS is > the _whole_ segment size, not the data portion of the segment... Or > maybe it's not? The RFC also says, > > segment length > The amount of sequence number space occupied by a segment, > including any controls which occupy sequence space. > > Which uses the term "length." However, the definition of MSS only > talks about "size," and there is no indication I find that "size" and > "length" are the same thing. > > So either all of the TCP implementations I can find are wrong and seem > to believe MSS is the maximum data length within a segment as opposed > to the actual segment size, or I am wrong. The devil is in the details. The paragraph about "segment length" explains it pretty well - it's the amount of sequence number space (i.e. data length). The data payload of the IP packet (above) is 1480 bytes long, the TCP segment size (again data payload) is 1460. The segment length (or size) is the sequence number space which is the same as data payload length. I think you're saying that "TCP segment" to be something it isn't. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107100039.KAA06761>