In Dante’s Inferno there were circles in hell designed to separate the ordinary sinner: the guy who designed the keyboard I’m working with (which provides no feedback when a key has been struck for example) from the guy who deliberately put the “global nuclear war” button right next to the “toast apple poptarts” button. My “9th circle of hell award” goes to the guys who designed the firewall that I’m working with lately. It appears that in their wisdom they’ve chosen to implement the “Red Alert — all hands on deck” alarm for the following scenario. You have a server connected to a client via tcp. The server is a fairly recent linux box that can do RFC1323 extensions. The client is a boring Windows XP box with a TCP RWin size of 65536 bytes. Between them is a Comcast business class Cable connection. In this scenerio the Windows box is trying to download a file from the server on the Comcast connection. The problem is literally that the connection is too fast for the Windows XP Box to fully cope. Nowadays when I test Comcast Cable connections I’m surprised to see anything less than 25Mbit/s.In whole numbers thats 25,000,o000 bits / sec. In more familiar units that 312.5 kBytes /s. The problem is that I’m starting to see firewalls that see this as an issue because they have been programmed with very conservative specifications about what constitutes a denial of service attack. I’m seeing firewalls that scream DOS when they are connected to a Business Cable modem line and have clients with tcp receive window size of 65536 bytes. Why? it’s simple. On aBusiness Cable line with 25Mbits/s download rate you have to be able to buffer 96kbytes/s in tcp windows just to keep up with a server (or client) at the other end of a fast line. These firewalls are calling DOS because the other end can fill their TCP window and then some. The right thing to do is to watch. If the otherside wants to DOS you he’ll send many packets after your Rwin is filled. If he’s just a really fast server on a really fast pipe. He’ll respect your RWin and quit sending. If you’re firewall decides to be agressive and drop the connection (by proactively sending a TCP RST) then you should probably act accordingly.
My thanks to Chuck Skuba on this post. I have to be 100% and fess up that I gathered the data but he did the homework.
— Chris