Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Low Bandwidth Denial of Service Attacks

Posted by CmdrTaco on from the i'm-very-slow dept.

An anonymous reader writes "A paper from Rice University appearing at the 2003 ACM Sigcomm Conference presents a new denial of service attack where the attacker only needs to send at a low rate to shutdown TCP flows. The trick exploits the retransmission timeout mechanism in TCP. By sending small bursts of packets at just the right frequency, the attacker can cause all TCP flows sharing a bottleneck link to simultaneously stop indefinitely. And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts. The presentation, and other presentations from the conference, are available online (live streaming)."

6 of 366 comments (clear)

  1. Security through obfuscation by RobertB-DC · · Score: 4, Insightful
    My first thought was, "Oh, great, now the 5kr1pt k1dd1e5 will have another instruction manual."

    Then, I downloaded the .pdf file, and started reading it. My head's still spinning!

    Here's a sample:
    When the number of flows in the system is high, a fraction of flows' retransmission timers will expire sufficiently near time (alpha) such that those flows can partially recover and utilize the available bandwidth in the period from time (alpha) to time (beta), when all flows will again experience an outage.
    And that's one of the more lucid sentences.

    Anyone who would be able to put together an actual attack from this paper probably has enough education to get a real job -- something that doesn't go well with writing malware on the side.

    Of course, now that the paper's being discussed on Slashdot, all bets are off!
    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  2. Re:I doubt it... by sg_oneill · · Score: 4, Insightful

    I'm pretty certain that my firewall would flag the bursts. If not, seems a simple rule or two would suffice to flag them. I'd like to see this in action. I suspect that it is pretty lame and easily detected.

    My guess is that by Friday night, the kiddies will have thousands of these going. So, I guess I can do see for myself tomorrow

    Ah. sure dude.

    Not sure how a firewall helps with DOS and DDOS attacks however. something floods your pipe, and its flooded, no matter how clever your firewall is. Try reading the article :)

    --
    Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  3. Re:Down with sexism! .. I mean, IPv4! by Politburo · · Score: 4, Insightful

    Insightful? This is CRAP. It's called TCP/IP. Whether its TCP/IP4 or TCP/IP6, theres still TCP, and that's what this attack targets.

  4. Undistinguishable? by _iris · · Score: 4, Insightful

    "And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts."

    Except for the bursts of traffic from the same host at a certain frequency.

  5. Going to be tough to exploit. by Andy+Dodd · · Score: 4, Insightful

    Since it requires accurate timing.

    a) Even if the average bandwidth is low, the attacker will still need the ability to burst those peaks. Remember that in most cases, we pay for peak bandwidth and not average bandwidth. A 56k modem likely won't be able to perform one of these DoS attacks because it doesn't have the peak b/w capability.

    b) The more hops you are away from your target, the more your peaks will get spread out and averaged. Keep in mind that most cable modem head-ends and the cable modems themselves have REALLY long packet queues. This is why upstream saturation is such a problem for cable modems. You can burst all you want, if you're DoSing from a cable modem it'll be averaged out and/or the timing completely FUBARed by the time the packets leave your neighborhood.

    --
    retrorocket.o not found, launch anyway?
  6. Re:yay (faker!) by Zathrus · · Score: 5, Insightful

    No. Modems stopped increasing in baud at 2400, and then used various encoding methods (trellis, QAM, etc.) to squeeze more than 1 bit/baud. A 9600 bps modem, for instance, averages 4 bits/baud.

    Well. Almost.

    Better quality phone lines can support >2400 baud, but not by much. A 28800 bps connection is running at 3429 baud IIRC, and varying line conditions will reduce that baud rate, thus reducing your effective bps.

    Compression is on top of all of this. It's an entirely different issue, and if you transfer straight text over a 28.8k modem you can get considerably more than 28.8kbps out of the modem.

    You got the broad stuff right though, which is a lot more than most people grok.