Re: possible dos / wsize affected frozen connection length (was: Re: 2.6.17.1: fails to fully get webpage)

2006-07-10 Thread CaT 
On Wed, Jul 05, 2006 at 07:54:01AM -0400, linux-os (Dick Johnson) wrote:
> >> running since 8:42pm yesterday. It's 8:37am now. It hasn't progressed
> >> in any way. It hasn't quit. It hasn't timed out. It just sits there,
> >> hung. This leads me to consider the possibility of a DOS, either
> >> intentional or accidental (think about 2.6.17.x running on a mail server
> >> and someone mails/spams from a broken place).
> 
> TCP/IP connections can continue forever. That's one of the reasons why
> Berkeley sockets has SO_KEEPALIVE for a socket option. In the absence
> of such an option, the physical connection can be broken for a week,
> reconnected, then the session can continue.

D'oh. I knew that. Sigh. It's one of the things I like about having a
static ip on a bad connection. :)

> In your case, you probably have a real error in which one end of the
> connection crashed. However, until the other end shuts down that

Well not so much crashed but became unreachable due to the wsize thing.

> socket, the connection is logically correct and should not be
> forcefully terminated.

It'll never terminate right now unless I hit ^c.

> A DOS is unlikely because with no data being transferred, little

Not all DOS' are transfer based. Just anything that uses up resources to
the point where a service is no longer able to be performed.

> non-swapable resources are used. You can control the maximum number
> of connections allowed from a host with your firewall software
> (like iptables).

After the fact really. In this case one can send mail to a box and make
it bounce to someplace behind a wsize broken network. Resources taken up
that wont return until someone spots what's wrong. You could make your
own wsize broken network, connect to someplace a few times and then move
on whilst their end hangs around, waiting for the connections to do
somthing.

In my test case I am wondering if there was/is a web process hanging
about doing nothing other then waiting for my end to do something.

-- 
"To the extent that we overreact, we proffer the terrorists the
greatest tribute."
- High Court Judge Michael Kirby
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: possible dos / wsize affected frozen connection length (was: Re: 2.6.17.1: fails to fully get webpage)

2006-07-05 Thread linux-os \(Dick Johnson\) 

On Tue, 4 Jul 2006, CaT wrote:

> On Fri, Jun 30, 2006 at 08:50:39AM +1000, CaT wrote:
>> Another datapoint to this is that I've had this my netcat web test
>> running since 8:42pm yesterday. It's 8:37am now. It hasn't progressed
>> in any way. It hasn't quit. It hasn't timed out. It just sits there,
>> hung. This leads me to consider the possibility of a DOS, either
>> intentional or accidental (think about 2.6.17.x running on a mail server
>> and someone mails/spams from a broken place).
>
> I'm just wondering if connections hanging around this long are normal.
> The above has now been running for 6 days. netstat is still reporting an
> established session. netcat has not timed out. It's all just sitting
> there doing nothing.
>
> --

>"To the extent that we overreact, we proffer the terrorists the
>greatest tribute."
>   - High Court Judge Michael Kirby

TCP/IP connections can continue forever. That's one of the reasons why
Berkeley sockets has SO_KEEPALIVE for a socket option. In the absence
of such an option, the physical connection can be broken for a week,
reconnected, then the session can continue.

In your case, you probably have a real error in which one end of the
connection crashed. However, until the other end shuts down that
socket, the connection is logically correct and should not be
forcefully terminated.

A DOS is unlikely because with no data being transferred, little
non-swapable resources are used. You can control the maximum number
of connections allowed from a host with your firewall software
(like iptables).

Cheers,
Dick Johnson
Penguin : Linux version 2.6.16.4 on an i686 machine (5592.86 BogoMips).
New book: http://www.AbominableFirebug.com/
_



The information transmitted in this message is confidential and may be 
privileged.  Any review, retransmission, dissemination, or other use of this 
information by persons or entities other than the intended recipient is 
prohibited.  If you are not the intended recipient, please notify Analogic 
Corporation immediately - by replying to this message or by sending an email to 
[EMAIL PROTECTED] - and destroy all copies of this information, including any 
attachments, without reading or disclosing them.

Thank you.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html