Study the BSD stack and think about what happens if you feed it:
1) packet with one byte of data, with sequence number at
1 byte before right edge of window.
2) packet with two bytes of data, with sequence number at
2 bytes before right edge of window.
....
continue the progression... wheee I've found a way to eat memory
on a remote BSD host at factorial rates :-)
The problem in the BSD stack is twofold:
1) Their socket buffer accounting assumes that header bytes are
a trivial amount of space compared to the data, so they don't
account for it at all.
2) They hold on to overlapping out of order segments.
This really isn't all that interesting a DoS, it's just inconvenient,
because (unlike the more fun exploits) you have to give your IP
address identity away to make it work.
Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/