Slashdot Mirror

← Back to Stories (view on slashdot.org)

Techie Story On TCP Stacks

Posted by ryuzaki0 on from the stuff-to-read dept.

a9db0 writes: "Ars Technica is running an article on TCP stack research done by Stefan Savage at the University of Washington. Stefan presented one interesting tool and a couple of ingenious hacks. The tool measures response time more accurately between nodes without additional software on the server. The hacks are TCP modifications, one of which could help defeat DDoS attacks. "

12 of 76 comments (clear)

  1. Re:yay extend and embrace? by JoeBuck · · Score: 3

    Well, duh.

    Because this researcher is telling you exactly what he is doing, so you can implement it in a compatible way, while MS is not telling how to build a modified Kerberos that is compatible with their scheme.

  2. Optimistic ACKing by anticypher · · Score: 3

    OptAck has been around for a while, but any commercial IP stack isn't going to implement it. It can and does break TCP transfers, and lusers will just complain the network is broken.

    I did like the graph of how a flood of TCP packets shows up at the same time, essentally dumping all 60Mb of IE across a fat pipe all at once. That works when you are only a few hops away from the server (UoW to Redmond, line of sight), but it falls apart if you have 18-20 routers inbetween with widly fluctuating available bandwidth.

    Time to hack this into the linux net3 stack as a switch during compile time. ENABLE_OPTIM_TCPACK_FLOOD=true and then get some hacked utilities taking advantage of it. Could be good for cable/dsl/OC3 people, but won't do much for poor modem users. A carefully controlled predictive TCP ACK can increase modem connections as well for big transfers. Another fun research project to take up my precious time AAAAUUUUGGGGGHHHHH!!!! :-) :-)

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  3. Re:Interesting But... by artdodge · · Score: 4

    #1: Red Herring. We're talking about protocol-level enhancements that make attacks like TCP-based DDoS fundamentally difficult to perform. This is a totally different subject from "making sure all programs on my workstation are free of buffer overflows." It is also true that the types of solutions needed to correctly protect systems are usually fairly intrusive and systemic. As the article says (you did read the whole thing before posting, didn't you?),

    These changes, while a very complete solution to the problem, probably face the same fate as almost any proposed TCP change -- they'll be ignored. The installed software base is too big and too hard to change.

    #2: University IT departments treat researchers pretty uniformly as "clueless", and assume that their own employees are clueful. The result? Clueful hacker-researchers with well-maintained machines are all locked up behind firewalls and active monitoring unnecessarily, while wide-open boxen sit on the public subnets waiting for j0e h4x0r to set up a DDoS outpost.

  4. 'Legitimate' TCP performance tuning by owens · · Score: 4

    The Web100 Project is working on putting automatic TCP tuning into the stack. This will allow a TCP connection to use all of the available bandwidth, without breaking any of the internal algorithms or stomping on other connections. It is already possible to tune most TCP implementations by measuring the bandwidth*delay product and tweaking the socket buffer size; the NLANR TCP Tuning page has instructions.

  5. Re:His potential solution to DDos Is worrisome by Mr.+Slippery · · Score: 3
    What about privacy?

    What about it? All they can get is the IP address of the attacker. If you're making a legitimate connection, you haver to supply your IP address so that the results can reach you! The only reasons to spoof an IP address are nefarious.

    Even then, this can only trace packet floods, because a huge number of packets are needed for a trace to be effective. IIRC, the article says 100*n packets minimum, where n=number of hops, are required. If you figure 10 hops to get somewhere interesting, you need 1.5 MB incoming traffic to get a trace. FTP or HTTP requests don't generate that kind of traffic in any reasonable time.

    --
    Tom Swiss | the infamous tms | my blog
    You cannot wash away blood with blood
  6. Control predictive ACKing by Shotgun · · Score: 3

    If I was running a large site and I were concerned about people running 'predictive acknowledgers', could I not modify my stack to send packets of varied size? I could just modify the last bit or two of the packet size semi-randomly. The bogus ACK would be ignored, the luser using such a technique wouldn't get his download and would eventually play fair.

    Also, if I tell the server to dump my 2Meg download into 1 packet, what happens when my wife picks up the phone and interrupts transmission? Will the whole 2Meg need to be resent? IOW, is this technique only useful on extremely reliable connections (which are VERY rare)?

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
    1. Re:Control predictive ACKing by Todd+Knarr · · Score: 4

      Check me if I'm wrong, but wouldn't simply having the server's TCP stack discard all data for which it had received an ACK, regardless of whether that data had been transmitted or not, in combination with a finite maximum window size and discarding ACKs that do not correspond with the end of a packet, make optimistic ACKing completely counter-productive?

  7. Re:DDOS trace won't work. by infodragon · · Score: 3

    It is this set of victim machines which launches the final attack.

    I personally doubt that there is any defence against a propperly executed DDOS attack.

    Stefan is not proposing a way to catch the perpetrator, but to locate the computers that are performing the DDoS attack.

    As in the article simply put...

    The basic idea behind the approach Stefan outlined is for each router that forwards a packet to mark it with information that will allow the recipient of the packet to trace it to it's source.

    This is over simplified but in the article he explains a way to mark packets, in a kinda random way, in such a manner as to be able to trace the source and then taking the proper action. Temporarly shutting down the deliquent computer's internet connection.

    This would not prevent the DDoS attack but it would speed up the process of shutting it down by removing the human factor in tracing the attacks.

    Because there is no difference between a propper DDOS and "The SlashDot Effect."

    Yes there is! A DDoS attack is a larg number of computers sending/requesting Massive amounts of information. The "Slashdot Effect" is Massive amounts of computers sending/requesiting moderate amounts of information. Except for large downloads then they are requesting Massive amounts of information, i.e. when netscape pre-6 was announced :)

    --
    If at first you don't succeed, skydiving is not for you.
  8. A few comments on the article by Chalst · · Score: 4
    Jannotti says that there is nothing to stop a user ignoring
    the `niceness' constraints in TCP: actually the strategy suggested
    will get you blacklisted on quite a few routers, which means it will
    simply drop all packets originating from your IP address. The routers
    use standard traffic profiling tools to spot just the kind of tricks
    Janotti describes.

    To plug some work done in my department, Azer Bestavros has done
    some nice work on network
    profiling : the idea I liked most was a way to make the TCP binary
    backoff work better by grouping together similar packets: this can be
    done entirely end-to-end, and really gets big improvements in overall
    performance. See in particular the paper `QoS Controllers for the Internet'.

  9. "Turbo Stack" Kernel Options?! by tqbf · · Score: 3
    Are you people stupid? Am I missing sarcasm here? What are you thinking when you advocate Linux compile-time options for congestion- control subversion? That this is a "nifty feature" for Linux kernels to have?

    Congestion control was developed in response to a congestion *crisis* in the late 1980s. Proper congestion control is a requirement for the Internet to function. The LACK of congestion control is common streaming and multicast protocols is a commonly cited major hurdle for the deployment of multicast applications on the Internet.

    It's been a nightmare scenario for awhile now that Microsoft (they of the "transient failure" RST packet) would unscrupulously try to gain a competitive advantage by manipulating congestion control. By "breaking the rules" they could make a faster stack. Another scary thought is that silly "Internet Accelerator" products could actually sell REAL accelerators, that provide horsepower boosts at the expense of the entire network.

    What you DON'T want to see happen is for Linux to gain "turbocharging" via congestion-ignorance. What that does is set up an arms race between Linux and every other stack vendor, and particularly Microsoft. That arms race could easily lead to congestion collapse and yet another Internet scaleability crisis.

    What Stefan Savage is describing are VULNERABILITIES in common TCP/IP stacks. They need to be fixed, and programs that take advantage of them need to be considered in the same light as programs that get rid of pesky security measures on remote computers --- as exploits.

    Just chiming in here, because I think it's odd that people here are paying more attention to the clever backtracking hack Savage came up with and less attention to the important, new security vulnerabilities he has documented.

  10. Re:ACK hacking by flibbertigibbet · · Score: 5

    Windows TCP/IP stacks already do this kind of retarded ACKing, and its trivial to modify others to do so. That's where intelligent traffic shaping comes in. Even if you don't modify the TCP/IP stack, you can write a proprietary program to open, say 50 connections to download the same file, or multiple files at the same time and use far more bandwidth than anyone else on the network.

    HT Kung has been doing some work on this. MIT and Harvard share the same net link and pay the same price, but MIT has more net users and therefore more connections (as in streams) so they use much more bandwidth. So you do traffic shaping and stop all those nasty bastards opening 300 concurrent connections from their desktop at once from using the entire network.

  11. DDOS trace won't work. by rcwash · · Score: 5

    A DDOS attack involves two layers of victims. The obvious victim is the recipient of the attack. But before the attack can be launched several (hundred) intermediate systems must be penetrated and exploited. It is this set of victim machines which launches the final attack.

    The procedure proposed by Stephen is quite clever and could be used to trace the attack back to the first layer of victims. But that is where it would end. The procedure requires hundreds of packets to make its trace. But the attacking machine is only listening for a single packet - whose IP can be spoofed - for the command to launch the attack. So the perpetrator remains safe behind his proxy army until he starts bragging on irc.

    I personally doubt that there is any defence against a propperly executed DDOS attack. Why? Because there is no difference between a propper DDOS and "The SlashDot Effect."

    Forget the ICMP packets. Want to take down a web site? Flood it with web page requests. You now have nothing to filter on and the legitimate users are crowded out.