Vulnerability Note VU#102014

Optimistic TCP acknowledgements can cause denial of service

Original Release date: 10 Nov 2005 | Last revised: 10 Nov 2005


A vulnerability in the TCP congestion control mechanism could be leveraged by an attacker to cause a denial of service.


The Transmission Control Protocol (TCP) is described in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer network. Numerous Internet protocols such as HTTP, SMTP, and FTP rely on TCP as their underlying transport protocol. Several different TCP congestion control mechanisms are specified in RFC 2581.

In the course of normal operation a TCP client acknowledges (ACKs) the receipt of packets sent to it by the server. A TCP sender varies its transmission rate based on receiving ACKs of the packets it sends. An optimistic ACK is an ACK sent by a client for a data segment that it has not yet received. A vulnerability exists in the potential for a client to craft optimistic ACKs timed in such a way that they correspond to legitimate packets that the sender has already injected into the network (often referred to as "in-flight" packets). As a result, the sender believes that the transfer is progressing better than it actually is and may increase the rate at which it sends packets. An important side effect of this condition is the amplification factor that it introduces. An attacker exploiting this vulnerability can potentially cause victims to transmit much more data than the bandwidth available to the attacker.

This condition was first described in 1999 by Savage, Cardwell, Wetherall, and Anderson in their paper, "TCP Congestion Control with a Misbehaving Receiver". Although this paper briefly mentioned the possibility of using this condition to mount a denial-of-service attack, it did not develop the details of the attack. In 2005, Sherwood, Bhattacharjee, and Braud published a paper entitled, "Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse", that examines the extent of the potential impact of an attack using this vulnerability.


A remote attacker can cause a TCP sender to transmit packets faster than it would in the course of a normal connection. The victim could potentially exhaust its network bandwidth, thereby resulting in a denial of service. In an attack involving multiple victims, the aggregate volume of generated traffic may cause congestion or a bandwidth exhaustion denial of service to intermediate transit network providers as well.


The CERT/CC is currently unaware of a practical solution to this problem.


Connection Throttling
Network administrators should consider implementing per-connection throttling or other forms of traffic shaping for services on their network that could be exploited. While this workaround does not remove the underlying vulnerability, it forces an attacker to use more hosts in order to have the same overall impact.

TCP Implementation Changes
The second paper listed above proposes several implementation changes to mitigate this vulnerability. In particular, the authors suggest a strategy of randomly dropping segments on the sender. By doing this, receivers that ACK packets that are intentionally dropped by the sender can reliably be identified as misbehaving. The authors have provided a patch that implements this workaround for Linux 2.4.24 kernel.
It is important to note that these implementation changes have not been ratified by relevant standards bodies such as the IETF. Implementors and administrators should exercise careful consideration and be especially aware of unintended side effects when choosing to implement these implementation changes.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Sun Microsystems, Inc.Affected02 Sep 200503 Nov 2005
3com, Inc.Unknown02 Sep 200502 Sep 2005
AlcatelUnknown02 Sep 200502 Sep 2005
Apple Computer, Inc.Unknown02 Sep 200502 Sep 2005
AT&TUnknown02 Sep 200502 Sep 2005
Avaya, Inc.Unknown02 Sep 200502 Sep 2005
Avici Systems, Inc.Unknown02 Sep 200502 Sep 2005
Borkerware TechnologiesUnknown02 Sep 200502 Sep 2005
Charlotte's Web NetworksUnknown02 Sep 200502 Sep 2005
Check Point Software TechnologiesUnknown02 Sep 200502 Sep 2005
Chiaro Networks, Inc.Unknown02 Sep 200502 Sep 2005
Cisco Systems, Inc.Unknown02 Sep 200502 Sep 2005
Computer AssociatesUnknown02 Sep 200502 Sep 2005
Conectiva Inc.Unknown26 Oct 200526 Oct 2005
Cray Inc.Unknown02 Sep 200502 Sep 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Rob Sherwood of the University of Maryland for reporting this vulnerability and researching its associated exploitation methods. The CERT/CC acknowledges Stefan Savage, Neal Cardwell, David Wetherall, and Tom Anderson for the original publication of the underlying protocol issue that causes the vulnerability.

This document was written by Chad Dougherty. Additional technical feedback and assistance with this vulnerability was provided by Hal Burch and Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 10 Nov 2005
  • Date First Published: 10 Nov 2005
  • Date Last Updated: 10 Nov 2005
  • Severity Metric: 10.50
  • Document Revision: 27


If you have feedback, comments, or additional information about this vulnerability, please send us email.