A vulnerability in the TCP congestion control mechanism could be leveraged by an attacker to cause a denial of service.
The Transmission Control Protocol (TCP) is described in RFC 793 as a means to provide reliable host-to-host transmission in a packet-switched computer network. Numerous Internet protocols such as HTTP, SMTP, and FTP rely on TCP as their underlying transport protocol. Several different TCP congestion control mechanisms are specified in RFC 2581.
In the course of normal operation a TCP client acknowledges (ACKs) the receipt of packets sent to it by the server. A TCP sender varies its transmission rate based on receiving ACKs of the packets it sends. An optimistic ACK is an ACK sent by a client for a data segment that it has not yet received. A vulnerability exists in the potential for a client to craft optimistic ACKs timed in such a way that they correspond to legitimate packets that the sender has already injected into the network (often referred to as "in-flight" packets). As a result, the sender believes that the transfer is progressing better than it actually is and may increase the rate at which it sends packets.
A remote attacker can cause a TCP sender to transmit packets faster than it would in the course of a normal connection. The victim could potentially exhaust its network bandwidth, thereby resulting in a denial of service. In an attack involving multiple victims, the aggregate volume of generated traffic may cause congestion or a bandwidth exhaustion denial of service to intermediate transit network providers as well.
The CERT/CC is currently unaware of a practical solution to this problem.
Thanks to Rob Sherwood of the University of Maryland for reporting this vulnerability and researching its associated exploitation methods. The CERT/CC acknowledges Stefan Savage, Neal Cardwell, David Wetherall, and Tom Anderson for the original publication of the underlying protocol issue that causes the vulnerability.
This document was written by Chad Dougherty. Additional technical feedback and assistance with this vulnerability was provided by Hal Burch and Art Manion.
|Date First Published:||2005-11-10|
|Date Last Updated:||2017-04-12 17:27 UTC|