2008/10/2 Peter J. Philipp :

quoted text
>

> I listened to the podcast and got the idea that the socket is in ESTABLISHED

> state (so after 3 way handshake) and they

> mention that a packets PCB resources have timers, and that is what they

> exploit.  Perhaps you establish the session and

> send an HTTP request (pretend it's http) and never ACK the answer that gets

> repeated based on the internal timers.  It seemed to me they say that some

> stop repeating their content and just die.

> -p

>

I have just listened to the interview as well.
They said that they have looked at the source tree of Linux, at their

Timer code in the TCP stack. The Linux source code indeed have a

comment saying there are states that are bad and the Linux kernel

would try to avoid. So the sockstress program was written to work the

other way around, to try to get into that bad state as much as

possible, and it managed to bring down Linux systems.
They then run the same attack against a Windows machine, and it had

the same effect as well, so it really seem like a problem in the TCP

protocol.
In the article it is said that BSD are vulnerable as well, they didn't

mention if it was Free or Net or Open...
So I guess the question is if OpenBSD have such state in its TCP

stack, maybe a code auditing session (whenever it is done next, the

next Hackathon?) can look at something like that in the OpenBSD

kernel... or maybe the dev already saw this kind of problem and have

harden the TCP stack for OpenBSD?
--

This e-mail may be confidential. You may not copy, forward or use any

part. All disclaimers on the Internet are of zero legal effectiveness.

http://www.goldmark.org/jeff/stupid-disclaimers/