In comp.lang.java.advocacy, John Bailo
<ja*****@texeme.com>
wrote
on Mon, 09 May 2005 11:45:28 -0700
<sM********************@speakeasy.net>:
The Ghost In The Machine wrote: In comp.lang.java.advocacy, John Bailo
<ja*****@texeme.com>
wrote
on Sat, 07 May 2005 02:07:37 -0700
<x5********************@speakeasy.net>:
AJAX demo:
http://texeme.com/ajaxtest.html
Congratulations; you've coded a self-denial-of-service attack to your server.
:-)
I've seen this before, admittedly. Google Maps is using the
Microsoft.XMLDOM object but their code is extremely messy to look at.
Your server is using a slightly different approach.
A better structuring of the problem would have keystroke validation
on the client side (e.g., a checksum on charge cards) and the completed
request would then have a more or less guaranteed valid request,
though there's only so much the client can in fact do.
In short, treat network transmissions as very costly.
Well, yes, but these are the days of broadband and bittorrents.
Shouldn't the web catch up and break away from the GET/POST global
transaction into pages with many tiny connections open?
RFC792 - ICMP header, 36 bytes
RFC791 - IP header, 24+ bytes
RFC793 - TCP header, 24 bytes
unknown - 12 byte dual-MAC
For purposes of this illustration I'm using tcpdump on
a simple telnet <hostname> 80, and issuing the request
"manually".
The state diagram in figure 6 illustrates the transmission.
The client sends a 74-byte message just to open a socket
(CTL=SYN). The server responds with a 78-byte response.
The sender sends a 66-byte message, and both sides are
now in ESTABLISHED state. That's 218 bytes and we've
not really done anything yet.
Now we can send a request. For purposes of this test I
sent a simple request: 'GET / HTTP/1.0\n\n'. This is 16
bytes, but to send it the packet size is encapsulated,
resulting in a packet size of 82 bytes.
The server responds with a 66-byte response. I'm not sure
precisely what it is, but the client sends a 68-byte response,
which results in two packets; the first is a 66-byte response,
and the second is a 480-byte response -- the header. However,
66 bytes of this 480-byte packet is TCP+IP+other such overhead.
So far:
16 bytes sent has resulted in 288 bytes over-the-wire from
the client. 414 bytes of the header response (of which part
seems to be a transparent proxy we use here at $EMPLOYER)
has resulted in 690 bytes over-the-wire from the server.
Payload? What payload? I've yet to *see* any payload, just
the HTTP headers! I've already spent more than half a kilobyte!
To be sure, on a high-speed network that's not as bad as
on a serial line, but from an efficiency standpoint I've
seen better.
I happen to know that 12 bytes of this is a dual pair of
MAC addresses (and in fact if one looks carefully at the
sniffed output and at the results of /sbin/tcpdump one
can see them). I also see an IP header and a TCP header.
But that only accounts for 60 bytes. To be sure, RFC791
specifies that options may be of variable length.
But lessee, I've sent 1 request of 16 bytes and have
received *nothing but overhead*: some of it's IP, some
of it TCP, some of it HTTP. The payload proper is still
pending, and I'm going to have to spend at least 60 bytes
of overhead to get him...maybe on both sides.
Costly? What do you think?
IPv6 will make it worse, though it's possible they'll optimize
some of this -- but there's only so much they can in fact
optimize.
--
#191,
ew****@earthlink.net
It's still legal to go .sigless.
