[dns-operations] root? we don't need no stinkin' root!
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Nov 29 20:35:43 UTC 2019
On Fri, Nov 29, 2019 at 09:17:32PM +0100, Tom Ivar Helbekkmo wrote:
> > Attackers can get a small amplification from SYN/ACK retries, and this
> > is being used in the wild.
>
> Can you actually implement a TCP stack without that possibility?
Not in general, but if for a particular service the client always sends the
first application data message, then the server could make this known to the
TCP stack, and in that case the SYN+ACK retransmissions could be avoided,
because the client would retrasmit the SYN if the SYN+ACK was lost, and would
otherwise retransmit its initial message.
When the server sends the first message, it sadly needs to retransmit SYN+ACK,
because when the client's ACK is lost the client is otherwise stuck with an
apparently established connection, and nothing ever sent from the server.
Thus, for example, SMTP servers (over TCP) have no choice but to retransmit
SYN+ACK.
There is not presently a mechanism in any TCP stacks I know of for a server
to indicate that SYN+ACK retransmisison is optional because the client will
send first.
--
Viktor.
More information about the dns-operations
mailing list