[ECOS] FreeBSD socket loss (a.k.a. MSIE DoS attack)

[Gary Thomas]

Lars Povlsen wrote:
> Hi All!
> 
> I have run into a weird occurrence of total socket buffer drainage with 
> the FreeBSD network stack (IPv4).
> 
> The problem is triggered by MSIE going bezerk while rendering an 
> Ajax/DOM style, graphics heavy, web page. It goes into a mode of a 
> series of spastic connnects to the (eCos) HTTP server, request a graphic 
> object, followed immediately by a RST. Then a new connection, etc. The 
> browser manages to get the job done, at the expense of TCP connections 
> and - worse - the FreeBSD stack loosing socket buffers - forever!
> 
> When the network stack is void of buffers, exiting the browser only 
> frees *1* socket buffer. And waiting > 10 minutes does not uncover more 
> buffers from the depths of the stack.
> 
> While I realize that MSIE is acting up - BIG TIME - I hate that it can 
> cause semi-permanent damage to the operation of my system. Does anybody 
> have any clues as to how to uncover the leak? I have a workaround to the 
> browser behavior, but thats dancing around the issue, really. The 
> browser does dot always behave like this, but I guess I can hack up a 
> perl script to recreate the problem more reliantly if needed...
> 
> I have attached (part of) a Ethereal summary to display the TCP/browser 
> access pattern. The server is at 10.10.132.15, the client browser at 
> 10.10.130.96. Needless to say, FF works like a champ...
> 

If you think you can produce a small-ish test driver (perl?)
which can cause this, I think that would be the best way forward.
Then we can duplicate the problem and try to attack it.

-- 
------------------------------------------------------------
Gary Thomas                 |  Consulting for the
MLB Associates              |    Embedded world
------------------------------------------------------------

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss