TCP Chorusing: Preliminary Analysis Complete

Dan Kaminsky effugas at
Tue Feb 2 13:15:31 GMT 1999

Remember that bug I was complaining about a while ago, that was preventing
users from seeing the Samba server?

The following is the abstract from a semi-detailed analysis I have written
at  :


Abstract for TCP Chorusing:

Microsoft Windows 95 and 98 clients have the capability to bind multiple
TCP/IP stacks to the same MAC address.  This is actually quite useful,
except for the fact that these stacks can run concurrently on the same IP,
even if they recieve their IP through BOOTP/DHCP.  The effect of the bug is
to cause the number of ACKnowledgement packets sent to be equal to that of
the number of loaded and bound TCP/IP stacks, creating excessive and
significant network noise and collisions.  At least one Samba 2.0.0beta1
server on an affected subnet becomes completely inaccessible when one of
these machines is activated.
Redundant ACKing can be referred to as TCP Chorusing, due to the minor time
delays introduced between multiple copies of identical data.  The problem is
undetectable using the Ping command built into Windows 95 or 98--this is a
significant bug in and of itself.  Linux´s ping is not similarly crippled.
NT was not available for testing.


Please feel free to correct me at any point in my analysis.

Yours Truly,

    Dan Kaminsky

If a vacuum cleaner doesn't suck, does it suck?

More information about the samba-technical mailing list