Re: mystery NCSA httpd problems on gnn.com

Robert S. Thau (rst@ai.mit.edu)
Tue, 31 Jan 1995 19:52:07 +0100


Date: Tue, 31 Jan 1995 15:43:07 +0100
Reply-To: dmk@allegra.att.com
Precedence: bulk
From: dmk@allegra.att.com (Dave Kristol)
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: To sign off, send mail to listproc@info.cern.ch with body DEL WWW-TALK

Rob McCool said:
> ... the queue is used both for connections that are ready to be
> accepted as well as for half-negotiated connections. The latter can
> fill the queue, starving any new connections from being negotiated.

This sounds like a very interesting hypothesis. Suppose all the
pending connections were half-negotiated. The queue might be full, so
the server (actually, the OS) would reject new connections, but there
would be no completed connections to process.

This matches what we see... and, incidentally, if true, it makes for a
fairly neat denial-of-service attack against Unix-based TCP servers.
(If Mallet wants to disable rlogin and telnet on a machine he's in the
process of subverting, he just has to make his machine,
badguy.mallet.com, deliberately initiate five connections on those
ports and fail to complete the handshake).

Things that make you go hmmm...

rst