Slashdot Mirror
New Low Bandwidth Denial of Service Attacks
An anonymous reader writes "A paper from Rice University
appearing at the
2003 ACM Sigcomm Conference presents a new denial of service
attack where the attacker only needs to send at a low rate
to shutdown TCP flows. The trick exploits the retransmission timeout
mechanism in TCP. By sending small bursts of packets at just the right
frequency, the attacker can cause all TCP flows sharing a bottleneck
link to simultaneously stop indefinitely. And because the attacker
only needs to burst periodically, the attacker will not be
distinguishable from normal hosts. The presentation, and other
presentations from the conference, are available online (live
streaming)."
When I read the title, I imagined a hoard of old geezers, using walkers, coming at me with sticks... but seriously, I don't see how this type of attack could prove as unstoppable or undetectable as claimed; I'm not particularly briefed with the mechanics of Retransmission Time Out, but can the mechanism not be tweaked to avoid these types of attacks without sacrificing all of its benefit?
Yay, finally there's use for my trustworthy 2400bod modem :D
Ever heard of...Slashdot?
My God, another TCP exploit? This will all end when Microsoft releases their own TCP replacement.
I wonder if this had anything to do with the "coordinated DDOS" that SCO was experiencing the last couple of days? The one ESR was referring to and supposedly convinced someone to stop doing.
/.
Damn sneaky way to get another SCO story on to
Learning HOW to think is more important than learning WHAT to think.
This is a tough paper to read. It's going to be a long time before an "Insightful" post.
are available online (live streaming).
This guy is an amateur, wait until he feels the slashdot effect on his server. His next presentation will be entitled, how to knock down any server by just posting an article.
My other OS is the MCP!
From all the links in the article, it is not clear where I can read about this. I don't have time to watch a streaming video but would like to find out more about this.
Best wishes
James
I'm sure a bunch of companies who get hacked by this will sue Rice University and or whoever wrote this paper.
Maybe we will see Microsoft do this, they like to sue the little guy.
If you use Linux, please help development of Autopac
I'm pretty certain that my firewall would flag the bursts. If not, seems a simple rule or two would suffice to flag them. I'd like to see this in action. I suspect that it is pretty lame and easily detected.
My guess is that by Friday night, the kiddies will have thousands of these going. So, I guess I can do see for myself tomorrow.
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
Actually the paper address defense mechanisms, such as randomly varying the time out interval, but it turns out that the performance lost in TCP efficiently nulls any benefits. Interesting paaper.
This is a duplicate storyfrom a looonnnng time ago. May 31 as a matter of fact. This means something considering the amount brain cells I kill with liquor everyday.
Comment removed based on user account deletion
Then, I downloaded the
Here's a sample:And that's one of the more lucid sentences.
Anyone who would be able to put together an actual attack from this paper probably has enough education to get a real job -- something that doesn't go well with writing malware on the side.
Of course, now that the paper's being discussed on Slashdot, all bets are off!
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Good grief, they are giving instructions for how to DoS people! Arrest them using the DMCA! QUICK, BEFORE THE CAT IS OUT OF THE BAG!
ASCII stupid question, get a stupid ANSI
a step-by-step recipe on how to screw up the internet even worse. I thought common sense dictated that you don't release documentation of a vulnerability until there is a fix available for it. I know security by obscurity doesn't work, but in the case of fundamental flaws in the TCP architecture... well, I'd rather the script kiddies find out about it later rather than sooner. Aren't we overdue for a TCP replacement anyway? One that supports sequenced packets as well as byte streams, and one that allows windows that scale to gigabyte sizes (yes, I know there's already a window scaling kluge). Do we even have a good defense against syn-floods yet? Seems like the only way of fixing the problems would be to add an unspoofable signature to ever packet so we can be certain where it came from, but this would add serious packet overhead... perhaps you could make the packet size much larger to compensate. (Will terabit ethernet still use a 1496 byte maximum packet size? How long a preamble does it need at that bit rate?)
"Freedom means freedom for everybody" -- Dick Cheney
[Scene: SCO Group, Utah. Where a "coordinated DDOS" is just beginning..]
[SUIT 1] Uh, hey, uh.. this one computer here.. it's like the webserver or something?
[SUIT 2] Yeah, I think, why?
[SUIT 1] Well, none of the lights on it are on.. that's.. hm.
[SUIT 2] Oh, yeah, hey, look at that, someone seems to have tripped over the cord and unplugged it. [[Switches it back on]]
[SUIT 1] Huh.. um.. it doesn't seem to have started up all the way. It's saying something about "fsck" and asking for a password. What does that mean?
[SUIT 2] Hm, not sure.
[SUIT 1] Well.. could we get one of the linux guys to come and reboot it? Or something?
[SUIT 2] Well, we fired all of the linux guys so that we could concentrate all our resources on the lawsuit.
[SUIT 1] Uh.. shit! Well, I guess I better figure something out.. hmm
[[ Two days later, after two days of phone calls, SUIT 1 finally finds an INDEPENDENT CONTRACTOR who doesn't just laugh and hang up on him when he says he wants them to come fix a linux server. INDEPENDENT CONTRACTOR starts the linux server up all the way and charges a great deal of money. "Coordinated DDOS" thus ends. ]]
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Gzipped Postscript file
-- Grow up and use mutt.
Comment removed based on user account deletion
Anyone who is actually old enough to have used one of these would certainly know how to spell it correctly.
I call faker! You are just trying to pretend you are some 31337 old geek when you probably have never used anything slower than a DSL line.
Now get out of here before I whip ya with this here cable with BNC connectors.
My beliefs do not require that you agree with them.
Not to rain on the parade here, but I thought there were a number of more interesting papers from sigcomm this year. Namely:
- Peer-to-Peer Information Retrieval Using Self-Organizing Semantic Overlay Networks
- Quantum Cryptography in Practice
- Making Gnutella-like P2P Systems Scalable
Just some more food for thought....
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Comment removed based on user account deletion
Back in my days as a satellite network controller for the Army it was common knowledge all it takes to saturate the whole frequency range for the commo payload is a nice 75Khz spike (enough carrier for a FM orderwire signal). People would argue it could not be done since we pretty much owned the 7.25->8.4 GHZ spectrum, but it worked pretty damn well. This is the equivalent of saturating a T1 with a 14.4 modem.
Pedro
----
The Insomniac Coder
I call to all arms-bearing full-bloodied americans to rush home, take their trusty shotguuns, and relentlessly hunt down spammers until the last one is gutted and stuffed and put on display in the Smithsonian!!!
well, i've got a good excuse. my native language is not english :p
In my vague understanding of TCP, I thought that the retry timers were supposed to have a random element to them. In fact, some systems talk of using cryptographic random sources so that the delays aren't predictible.
If that isn't the case in implementations, it would seem to be implementation error, not really a fault with the protocol itself.
Wrong. That's a different paper.
--
Error 500: Internal sig error
It seems to me that the solution is to have a variable RTO... Kinda like when LaForge had to continually modulate the shield frquency to keep the borg from adapting. :-)
Nothing to see here. Move along.
I can't find any reference in the article to support your statement that it only impacts multicast TCP (not saying it isn't there, just that I couldn't find it). Can you provide a reference quote/page. Thanks
In my day, we had to get at 2:00am, clean the road with our tongues, crawl to work on broken glass and when we got there, we had to work with 6 baud modems that were powered by rabid hamsters. And we were glad for them.
"baud" is named after J.M.E. Baudot who was French. more info
Insightful? This is CRAP. It's called TCP/IP. Whether its TCP/IP4 or TCP/IP6, theres still TCP, and that's what this attack targets.
Like Microsoft (May Billy Gates live forever) says, "If nobody does any research on it, nobody'll know it exists, right?"
That was totally irresponsible. They should have not released theat information, and promptly committed Hari-Kiri so the information would never be uttered again on the face of the earth.
If you had read the article, you'd know this problem is related to a TCP feature, not IP. In fact it's related to multi-casting which will most likely still be a feature once IPv6 comes around...
:-) That is a good excuse. Oh, but wait, I don't think Baudot was a native speaker of English speaker either.....
Roman Semaphore
Indian Smoke
etc.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Be nice, or I'll strangle you with a piece of this thicknet cable.
(I actually use cable or a T1 depending on where I am) However, were I to use a modem, I'd still be using 2400 baud.
baud is essentially the number of samples per second, and that hasn't risen since the release of the old 2400 baud modem. What makes things like 56K possible is how many distinct pieces of data can be extracted out of each sample, such as changes in frequency, amplitude, or phase shifts.
And yes, my first modem was a real 2400 baud in '93.
I had to hammer the wire out of rusty nails, break the necks off of beer bottles for insulators, string the wire, build modems out of 12AU7 and 6J6 tubes, and have it all running before dawn. And we were glad for them.
"Eve of Destruction", it's not just for old hippies anymore...
Well, in Russian "baud" is spelled as "bod" (with cyrillic letters of course). All Latin alphabet based languages seem to have it as "baud" or a similar form (the ones I checked are German, Finnish, Swedish, Italian, French).
Oh yea, that's also the reason why we differentiate between 2004 'baud' and 56Kbps. One is for samples per second, other is for (thousands of) bits per second.
After a quick glance at it, the only insightful thing I can think of is that since this is just a TCP based attack, you could start doing it on any connection that is going to have ongoing TCP traffic.
For example: SMTP traffic.
To be more specific, let's take the example of somebody you don't like (We'll call them Mr. Spammer for now) initiates a TCP connection to you, on some random port (let's pick port 25) You watch the traffic, and once you determine that the traffic is coming from Mr. Spammer, you initiate the attack using the existing TCP connection.
This would be a good tarpit for not only slowing him down, but stopping that open relay or paid-for client machine.
Nathan Brazil?
You'd have to say it with an American accent. "Bod" would come out more like "bawd" so you can see where the kids would get confused. Any English dialect that can't distiguish between "Body" and "Bawdy" needs some serious looking at.
Paper Today
Proof of Concept by Monday
Script Kiddies Version by Thursday
Internet dies on Friday
All back to normal Monday
Rus
Cheap UK and US VPS
And BNC stands for? ...
When a blimp crashed on a roof a few years ago, I always envisioned the people on the roof looking up and shouting, "Look Out! Walk for your lives!"
Hopelessly pedantic since 1963.
By the time you click the link it will timeout and you will have just engaged in one of those low bandwidth DDOS aatacks.
Of course, none of this is real, and time is just an illusion that keeps everything from happening at once.
Heh, heh
All Ad hominem replies happily ignored as the sender shall be deemed to lack the faculties to comprehend the equation.
Bayonet nut coupler
Or Banana nut coupler
No sir I dont like it.
...resonance frequency.
By sending small bursts of packets at just the right frequency, the attacker can cause all TCP flows sharing a bottleneck link to simultaneously stop indefinitely.
Essentially this says that all you do is to continually convince TCP that the 'pipe' is full of information and to take counter measures.
TCP will do this with a preset procedure that was designed to elminate deadlock situation. The problem occurs when everytime the TCP stack trys to resend the information, you can fool it by filling the 'pipe' again. As long as you know when the TCP stack will retry again, you can continue this over and over. Because it does not take a lot of information to fill the 'pipe' for the short time that TCP attempts to resend, you can have a low bandwidth attack.
To be accurate your 167.113.213.144 address can be legally represented as
0
10100111.01110001.11010101.10010000
A7.71.D5.9
or
2809255312
It used to be an obfuscation to use http://2809255312 in spam, I don't know if it is still used, I haven't seen it for a while
I know IE accepted it but Mozilla doesn't in FreeBSD
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
You'd better duck, these vampire taps can be nasty when they hit yea square in the noggin!
What if it is just turtles all the way down?
Actually, modems stopped increasing in baud at 9600 (I'm almost sure). Baud tells you how many signal changes happen in a second. With compression and other techniques, we can actually transmitt more than 1 bit/baud these days.
It sounds like something that could easily be engineered around, not a serious threat to the Internet. Eric http://www.mp2kmag.com
http://www.mp2kmag.com
In the latest Lovsan.* worm outbreak, the worm was programmed to generate a DDoS attack to www.windowsupdate.com, only the attack was not very successful because that domain was just a means of redirection to the real Windows Update site (windowsupdate.microsoft.com), so Microsoft just shut it down and avoided any harm.
But with this low-bandwidth exploit, which I believe is actually not a new idea, since IE uses a tricky method to increase speed by leaving persistent connections until they time out that could be exploited, now a worm can potentially DoS any website, even dynamically selecting the target from the users' IE favorites and performing the attack very quickly (maybe in a matter of hours) without having to rely it on being a widespread, coordinated DDoS or what the target OS/Server is.
The paper even claims that in order to protect a server from this type of attack you'd need to sacrifice a good deal of performance, which in most cases is not acceptable so many people can't really afford to implement defenses. Either a clever workaround is made for this exploit, or we have tough times ahead from worm outbreaks and script kiddies.
- Otaku no naka no otaku, otaking da!!!
I know you were offtopic and everything, but I would rather that someone (Bush or Gore or Nader or whomever) who was elected to our highest office would have the morality and intelligence to realize that killing McVeigh was letting him off easy and by locking him in a little box until he either killed himself or died of old age would be a much more suitable punishment than using the death penalty to preemptively end his physical existence. I can keep hoping.
Fnord.sig
BNC is used for linksys wi-fi adaptors (well reverse polarity at least) so us new 1337 wi-fi wardrivers use em too, old geazer my butt
come comment on the madness at http://slashdot.org/~phreak03/journal/
As a Californian, I take exception to that statement.
And as a pedantic ass, I state that "any sentence challenging English usage or pronunciation that ends in a preposition needs revisiting."
And as a victim of Murphy, I don't doubt that someone will find grammatical errors in this posting.
Eloi, Eloi, lema sabachtani?
www.fogbound.net
This does not appear to be true. :j
I think you've been mislead by a previously posted bad link. Look at the correct paper here.
you wear panties?
lets play starwars! you're the princess!
"The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
But then again, this was '91 man! All the good shit had been done back in the 80's and there was nothing left to crack! BB don't work nomore! (an aside: I really & truely boxed ONCE. And I got the wrong fucking number. Never could repeat it)
ne1 got any virgin cc's?
Shutdown as much as the Internet as possible for a whole month, and THEN *claim* it's the fault of virus writers, spammers, SCO suits and other informatics evil-doers.
I know it looks like a simplistic approach, but just think of the socio/psychological impact on teh above-mentionned scapegoats.
Denial of Service via Algorithmic Complexity
dupe
Dupe!
DUPE!!!
Posted by michael on Sunday June 01, @12:56AM from the advanced-topics dept. dss902 writes "We (Department of Computer Science, Rice University) present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures... Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks."
Bloody Not Coming off
Want to see every step I took to start my company? http://www.rowdylabs.com/blogs/pitchtothegods
wouldnt that be more useful as some sort of bludgeoning device?
turn up the jukebox and tell me a lie
Hell yeah, and when I started out, the only way to transfer a file to a floppy disk was with a paperclip and a magnet!
"And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts."
Except for the bursts of traffic from the same host at a certain frequency.
Did the other people not read the first line of the abstract ?
Group subscription is a useful mechanism for multicast congestion control: RLM, RLC, FLID-DL, and WEBRC form a promising line of multi-group protocols where receivers provide no feedback to the sender but control congestion via group membership regulation. Unfortunately, the group subscription mechanism also offers receivers an opportunity to elicit self-beneficial bandwidth allocations. In particular, a misbehaving receiver can ignore guidelines for group subscription and choose an unfairly high subscription level in a multi-group multicast session. This poses a serious threat to fairness of bandwidth allocation. In this paper, we present the first solution for the problem of inflated subscription. Our design guards access to multicast groups with dynamic keys and consists of two independent components: DELTA (Distribution of ELigibility To Access) a novel method for in-band distribution of group keys to receivers that are eligible to access the groups according to the congestion control protocol, and SIGMA (Secure Internet Group Management Architecture) a generic architecture for key-based group access at edge routers.
In Soviet America the banks rob you!
You can use a modem to post a slashdot article with a link to the target computer...
Sorry, the link referred me to the wrong paper. So the grandparent IS mistaken, and I was too. Here is the abstract for the real paper.
Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation results in a wellknown vulnerability to attack by high-rate non-responsive flows. In this paper, we investigate a class of low-rate denial of service attacks which, unlike high-rate attacks, are difficult for routers and counter-DoS mechanisms to detect. Using a combination of analytical modeling, simulations, and Internet experiments, we show that maliciously chosen low-rate DoS traffic patterns that exploit TCP's retransmission time-out mechanism can throttle TCP flows to a small fraction of their ideal rate while eluding detection. More-over, as such attacks exploit protocol homogeneity, we study fundamental limits of the ability of a class of randomized time-out mechanisms to thwart such low-rate DoS attacks.
In Soviet America the banks rob you!
Since it requires accurate timing.
a) Even if the average bandwidth is low, the attacker will still need the ability to burst those peaks. Remember that in most cases, we pay for peak bandwidth and not average bandwidth. A 56k modem likely won't be able to perform one of these DoS attacks because it doesn't have the peak b/w capability.
b) The more hops you are away from your target, the more your peaks will get spread out and averaged. Keep in mind that most cable modem head-ends and the cable modems themselves have REALLY long packet queues. This is why upstream saturation is such a problem for cable modems. You can burst all you want, if you're DoSing from a cable modem it'll be averaged out and/or the timing completely FUBARed by the time the packets leave your neighborhood.
retrorocket.o not found, launch anyway?
http://englishplus.com/grammar/00000195.htm
:-)
The "never-end-in-a-preposition-rule" is essentially absurd. I've read better texts explaining the origin and absurdity better, but that's the best one I could find on short notice.
Murphy strikes again.
-Rob
-Rob Ewaschuk
"When I read the title, I imagined a hoard of old geezers, using walkers, coming at me with sticks..."
Of course. Old Age and Treachery ALWAYS overcome Youth and Skill.
Now get out of here before I whip ya with this here cable with BNC connectors.
For 1337-speakers that may have never seen those... they were big pieces of METAL on the ends of network cables.
none of those sissy plastic phone-jack "snagless" wires in the olds days. These things were physically keyed. If you tugged on the cable hard enough, the thing you were most likely to do was pull the wire out of the connector. If that didn't happen, then you're probably dragging your computer along the floor.
While I'm being silly about network cables... where the fuck did snagless connectors come from and why are they a good thing? As my arthritis gets progressively worse, I find myself loathing those things more and more.
I am disrespectful to dirt! Can you see that I am serious?!
Comment removed based on user account deletion
"By sending small bursts of packets at just the right frequency...."
That's not a problem. All you have to do is periodically adjust your shield harmonics to keep the attacker from adapting quickly enough to do any harm.
I hearby have renamed my "2400 baud modem" to "2400 freedom connection device"
my guess is it's a weird holdover of the days when CS was considered the domain of mathematics departments.
:D
that, or CS people deciding to add even more jargon to otherwise perfectly comprehensible sentences.
ed
Bonus Points!!
Unlimited growth == Cancer.
Tempting to mod that down, but instead I'll reply with a correction.
This is the correct paper:
Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)
This is the abstract you read:
Robustness to Inflated Subscription in Multicast Congestion Control
These are separate papers by different authors. The TCP DoS does not involve Multicast.
I've always wondered what that was for.
My amazing wife - Artist, Author, Philosopher - Laurie M
Comment removed based on user account deletion
No. Modems stopped increasing in baud at 2400, and then used various encoding methods (trellis, QAM, etc.) to squeeze more than 1 bit/baud. A 9600 bps modem, for instance, averages 4 bits/baud.
Well. Almost.
Better quality phone lines can support >2400 baud, but not by much. A 28800 bps connection is running at 3429 baud IIRC, and varying line conditions will reduce that baud rate, thus reducing your effective bps.
Compression is on top of all of this. It's an entirely different issue, and if you transfer straight text over a 28.8k modem you can get considerably more than 28.8kbps out of the modem.
You got the broad stuff right though, which is a lot more than most people grok.
I still have (somewhere in my parent's basement) an old DECWriter teletype, with a switchable 75 baud modem. I think you can switch it to either 115 or 150, but I can't recall which one. And the worst part: It's still in working condition. I'm holding on to it, it might be worth something someday.
But as far as modem goes, I held on to all my modems, from my Atari 130XT 300bps modem, all the way up to my first 9600baud telebit.
Sometime, it's just not worth it to scrap those.
Marriage is considered capital punishment for the theft of a goat in some third world countries...
Comment removed based on user account deletion
And by letting him live, he could have drastically increased the possibility of McVeigh killing an imprisoned pedophile priest.
F******CK!!!!!! Have you never seen a TV cable???? Those connectors are JUST LIKE BNC, unless you look too close:-)
Or running the worlds largest army's most central headquarter without ground to air defense?
10 ?"Hello World" life was simple then
Ha! I had to wakeup at 2:00am every morning, make our own cable from a pile of rusty nails with our BARE HANDS. We didn't have PHONES so we had to SCREAM the audio training signal at the line and HOPE that the lucky bastard on the other end of the line heard it and understood it. If I was lucky, I could kill a rat in the street in front of our house and eat it before my father beat us till we went to sleep.
Well, I was being somewhat tongue-in-cheek.
Still, I'm never one to embarrass myself without an encore. So to dig myself in deeper, I'd have to argue that linguistic grammar rules are *all* essentially absurd, particularly when looked at individually. The splitting of infinitives is, or has been, frowned upon because of the structure of Latin. The reference you provide gives a similar reason for the tradition of avoiding prepositions at the end of a clause. There are many other examples of grammatical rules that are based upon other languages.
But fundamentally, language is a set of conventions. This set changes over time. Some are part of the language because they clarify the meaning -- dangling participles lead to ambiguity, for example. Others are just arbitrary rules, based upon convention, history, or accident. Look at English spelling and pronunciation, for example.
I suppose I should get to some point around now, but I think I'll just quit here.
Eloi, Eloi, lema sabachtani?
www.fogbound.net
Lindows was sued before they even released their product.
If you use Linux, please help development of Autopac
Have you never seen a TV cable????
:D
Unless you mean the cable that my internet comes on, I don't think I know what you're talking about
I am disrespectful to dirt! Can you see that I am serious?!
You make it sound like BNC connector are outdated tech. They are still used in televison (professional equip), osciliscopes and other test&measrment devices, and some RF equipment; to name a few uses...
Too bad this is a *completely different attack*! Jeez, read the friggin' paper, people. The paper you reference talks about a DoS which exploits data structures commonly used in TCP stacks. The DoS in the paper referenced for this article exploits TCP congestion control algorithms to "fool" the TCP stack into thinking the pipe is full when it really isn't by sending carefully timed packet bursts.
The paper that describes the attack in question is "Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)". You're reading the paper BELOW that one: "Robustness to Inflated Subscription in Multicast Congestion Control"
Like they said, its a real sloooooooooooooooow attack.
The / in
All coaxial connectors are very similar. I remember trying to hook up thinnet network cards with a TV cable at one point, and almost succeeding (I had terminators, but no cable:-0 It only worked as long as I held the connector in place by hand, and with high error rate at that).
Just set the evil bit, and all is well.
Slashdot.. Land of nerds, trolls, and FlameBait..
I also seem to recall that the phone system generally drops any signals higher than 4khz. So it's not just the quality of the phone line that is the issue.
WARNING -- Data from the early 1990's -- WARNING
Comment removed based on user account deletion
I thought BNC were positive keying coax cables, not "F-Type Coaxial Connector"
IIRC Cable TV cables are threaded; BNC are keyed...
I am disrespectful to dirt! Can you see that I am serious?!
They might be a lot of things but I just don't remember MS being particularly litigious.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I already discovered this about 1.5 years ago while working on a networkmonitoring application. I was keeping it quiet because of the low cost way of causing a lot of trouble with this would be to much for script kiddies to ignore.
In a test run from the local LAN to the WAN, my colleages where complaining terribly about slow connections, but when I looked I was only using about 5% of the bandwidth, so why would I be the problem.
The thing I discovered that I was sending out small packets (64 byte) at the frequency of the latency, thus causing packet fragmentation (no 1500 byte packet fitted in between my well timed transmissions). The result was packet fragmentation on the local network, and retransmits of smaller packets needed over the internet. They caused more trouble on the line, further degrading the performance. My test however didn't seem to suffer. The test data was perfect (-:
This was a 2mbit line connected to my local 100mbit line. What I am wondering is how you can get this way of attach going if you don't have enough control over the timing. If you put packets on the line on your own line (DSL, typical latency 16 to 17ms), and attack a 6ms line, your packets will arrive with way to big gap in between to do any harm (except suck up a part of the bandwidth and in that way becoming a standard DOS attack. So the only way to do this is if your line has a equal or lower latency, or use perfect timing millisecond timing over several slower lines.
The internet itself is causing some trouble too: Every hop in between means bigger bandwidth and lower latencies. A chance for the router to insert good working packets in between the packets of the attack.
Well...
Actually, linuistic grammar rules are not absurd, they compose the real rules of the system -- things like the subject agreeing with the verb, or rules that govern the relationship between words in a sentence ("The dog bites the man" has a different meaning than "The man bites the dog").
What you're talking about are best described as social grammar rules, or maybe "school grammar" is a better term.
If I remember correctly, the origin for these fake rules came from a fad around grammar books at the end of the 19th or 18th century (can't remember which). As a model, they used the latin grammar books to formulate the rules.
Now, in latin, it is impossible to split an infinitive, because it is one word. Furthermore, prepositions in latin are generally combined with definite articles and must be placed before the object of the preposition. That's not school grammar, that's just part of the linguistic grammar rules of latin. This is true of any latinate language, by the way.
If you try to ask in Italian:
Che e' questo fatto di?
You'll get a confused, blank stare.
But if you ask, in English, the same question word for word:
What is this made of?
They'll understand you perfectly, because it follows the linguistic grammar rules of English, even if breaks "school grammar" rules.
Karma: Chevy Kavalierma.
finally us underclockers will finally get some respect.
It isn't outdated, but it is old.
My wife's monitor (older 21") has both BNC ports and a VGA port on the back.
For networking, though, it is outdated.
My beliefs do not require that you agree with them.
Someone better tell the SoBig virus author to cancel his work on version G, as a large number of zombie hosts are not needed....
we have covered this in the past. it's not bayonet whatever whatever and it's not bolt nut connector, etc.
it's actually Bayonet Neill Concelman. check out http://www.marvac.com/funpages/rf_information.htm
not to mention, 8 inch floppies were long gone before 2400 baud modems came out. hell, my 300 baud modem came out after my 8 inch floppy was gone.
Most houses weren't, considering that neither Ethernet nor Token Ring used them yet.. Most houses still aren't wired that way. P.S. The connector you are thinking of is RJ-11.
Cripes, I must be older than I thought. My Apple ][ screamed with it's 300/1200 modem.
I couldn't use the 1200 speed for a year as there wasn't anywhere local to dial in to at such a high speed.
I still have my Hayes 2400 baud external modem. How old am I? Finally a use for my Apple IIc!!!
---
Lousy rotten karmic retribution.
exactly.. I CALL FAKER, TOO!
no one with a 600,000+ uid is ALLOWED to say thicknet here!!
now beat it, kid, before **I** hit you over the head with my PK-88!
Intelligent Life on Earth
The phone system has an 8 KHz bandwidth... I think it's something like ~150 Hz - ~8000 Hz. At least that's the spec. Some very old lines aren't that good, some newer lines are far better.
:)
:) (although that's not true world wide...). Interesting stuff.
And there's a boatload of various technologies (loading coils for example) that are designed around maintaining those frequencies at the cost of all others, which causes problems with high speed modems and utterly breaks DSL.
It's ok that your data is from the 1990s... the phone system was designed in the 1930s and hasn't changed dramatically since
I had the pleasure of seeing the inside of a CO in downtown Atlanta in the early 90s. From the battery room with 45 gallon drums of baking soda in case of an acid spill, to the entryway with cables varying from the thickness of your arm (old, old, old copper) to less than a pencil (fiber), to 40 foot by 3 foot by 6 foot long switches that were being replaced by a pair of boxes the size of Coke machines. All an interesting mish mash of old and new technologies and all working together. At least they'd gotten rid of the mechanical switches
I would think that IPSEC and AH would solve this problem, among many others.
Mea navis aericumbens anguillis abundat
Whatever. :) All I know is I had a giant plug with four prongs on it.
Phhht.. I have an even better method of DOS, without reading the article: 1. Post site link on slashdot. 2. Watch site go down. 3. Wipe hands on pants, repeat as needed.
...and GPS antennas.
Especially Garmin, which makes some nice GPS systems, but will rob you blind on accessories if you're not wise enough to spot a BNC cable or notice that the built-in antenna is detachable.
Garmin sells a remote antenna kit for $99 which is basically an 8' BNC cable and an antenna not much different than the one that comes with the GPS units (which you can buy without the BNC cable for $60.) Just an 8' cable with no antenna is $38!
These cables are trivial to find for under $5 elsewhere. Or for free if you have old network crap lying around as I do.
BNC is dead! Long live BNC!
everything in moderation
Any technology not indistinguishable from magic is insufficiently advanced. -Pratchett
While Pratchett has a sizable amount of great quotes this one isn't his. It's one of Clarkes Laws
Illogically, it is actually easier to establish and maintain a 56k connection than it is a 33.6K connection, when the local phone line is the only thing in question. (with 56k, you also have to have no more than one analog->digital conversion in between you and the phone company).
A 33.6K connection requires a symbol rate of 3200, which is greater than the 2800 that the 56K uses; hence, when customers would ask "Whats the chances I can get 56k out of my line" and the tech would answer "Can you connect at the maximum 33.6K right now? If not, it wont work", they were flat out wrong.
LRC, the best-read libertarian site on the web
I've ripped many a tab off the standard connector while pulling it through patch panel cable spaghetti. In patch panels snagless connectors are practically a requirement. However, they are not the nicest things to plug into a NIC and then attempt to unplug down behind a desk. Of course, buying both types simply implies the one used will be the incorrect one for the application. You'll still curse the snagless connector under the desk while cursing the tabless connector that fell out of the patch panel.
No, the phone system runs at 8 kSamples/second, which means you have a maximum theoretical Nyquist bandwidth of 4 kHz. The actual bandwidth of the phone system is less than 3 kHz - it runs from about 300 Hz to 3 kHz.
www.eFax.com are spammers
I'm not talking about the fact that cable modems have low upstream caps, I'm talking about what happens when you hit those caps.
Due to the extremely long packet queues of a cable modem, when the upstream connection saturates and the queue starts filling up, latency goes to hell. No matter what the cap is, if you saturate a cable modem's upstream connection, everything falls apart because of the fact that the latency on all packets (including ACK packets) skyrockets.
If the cable modem didn't have such a long packet queue this wouldn't happen when the connection saturated, or at least it wouldn't be so severe.
retrorocket.o not found, launch anyway?
Your wife's monitor has BNC ports? What's its IP address, I'll try to ping it.
Hmm, I'll read it next time :)
What is this with the Rice University doing so much research into low bandwidth DoS attacks?
"well, i've got a good excuse. my native language is not english :p "
Too bad nobody ever considers this possibility when somebody makes a grammatical error.
Off-topic, I know. Just bothers me that others who have taken the time to learn English can get shit on by people who are overly obsessed with speaking it the way some old book defines.
"Derp de derp."
"No. Modems stopped increasing in baud at 2400, and then used various encoding methods (trellis, QAM, etc.) to squeeze more than 1 bit/baud."
A few weeks ago, a coworker of mine living on the opposite side of the country had a problem with his dialup ISP. I dialed his number (on the East Coast) from here on the West Coast. To my surprise, that was THE fastest dialup connection I had ever made. Sorry, the numbers have faded from memory, but it was very quick and responsive, much more so than the 56k modem I had merely 2 years ago.
Frankly, I was stunned. I expected that considering how far the signal had to go and how many hops it had to make that it'd be degraded. Wasn't like that at all.
I must ask, why? Why was I getting such a good signal this far away?
"Derp de derp."
I observed this problem 10 years ago from Soviet Union and can confirm it - traffic jitter on Europe-US link from European hosts produced a dramatic decrease in TCP performance on Sun Solaris (or just timeout it with enough bandwidth !) and I researched this problem that time.
However, article does not take into account the typical server behaviour - server has _essentially_ more output then input and typical bottleneck is in _output_ direction. It is more difficult to dramaticly increase RTT by overloading low-loaded input channel via bottleneck or attacker should find some equally-side loaded bottleneck like LAN-to-LAN with servers on both sides. It could be a problem for big Universities but rarely for comercial companies like Yahoo or Ebay.
O, you can overload an output channel too but you have to have an open TCP link to server inside and show your real IP address and use high-volume output requests to server!
Finally, attack is simple as long as victim's router has a LIMITED inbound traffic queue size. Unfortunately it is very offten today - it is a simplest way to increase an interactive response time. Victim should use protocol-selective bottleneck router queue to improve his response time instead of short-sized buffers in inbound routers: it can eliminate a packet loss and smooth a problem.
- Leonid Yegoshin.
This sounds quite a bit like the "Capture Effect" experienced by early Ethernet designers (circa 1994) and described in a number of papers. (e.g. http://citeseer.nj.nec.com/molle94new.html). Ethernet fixed it by adding a pseudo-random backoff delay for retransmissions. In fact, I'm suprised the authors didn't cite at least the Molle paper given that they suggest a randomized RTO as one of the possible solutions.
Saving random seed...
a southpark rip off joke calling a sco joke unfunny
;p
i wonder if that would happen in soviet russia
Bill? A fattie? The only thing fat about Bill is his wallet.
If all you have is a hammer, everything looks like a nail.
...but not youth, skill & treachery...
The infamous Slashdot math I guess.
> now beat it, kid, before **I** hit you over the head with my PK-88!
Hush, or I'll hunt you down like a wumpus and make you program
a Quake workalike in CoBOL.
Cut that out, or I will ship you to Norilsk in a box.
> any sentence challenging English usage or pronunciation that ends
> in a preposition needs revisiting
"at" in that sentence is not functioning as a preposition; it is
functioning as the complementary part of the verb. Besides, the
rule "never end a sentence with a preposition" is significantly
oversimplistic; the correct rule is that the words in a prepositional
phrase must be kept together, in this order: the preposition first,
followed by any standard attributive adjectives modifying the object,
followed by the object itself, followed by any additional modifiers
(such as modifying phrases or clauses). The occurrance of other
words, not part of any prepositional phrase, that in other
circumstances might be used as prepositions, is irrelevant.
Cut that out, or I will ship you to Norilsk in a box.
> All I know is I had a giant plug with four prongs on it.
Oh, those. Incidentally, you can make a standard phone line work
with only two of those four wires. (This is still true with an
RJ12 connector; you only need two of the wires, for a voice line.)
If you think it's bad trying to keep RJ12 and RJ45 straight, you
ought to have to deal with the *other* kinds of modular connectors.
RJ12 has four wires and RJ45 has eight, but did you know, there are
two different kinds with six wires, differing only by the placement
of the little clip thingy that holds them in the socket? The one
with the centered clip is RJsomething (I forget the number, but it's
between 12 and 45); the off-center one is called MMJ or DEC423. I
have a crosspinned inline coupler for this type... and a real,
non-historical use for it.
Cut that out, or I will ship you to Norilsk in a box.
British Naval Connector
Not only did we invent the world wide web, we invented that too, and your Al Gore *still* claims to have invented the Internet!
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
I thought the same thing - 20 years ago, when I did all my Telecommunications theory and practical training...
;-)
.mp3 encoded @ 56k ;-)
.mp3 compression to those 1950's engineers, then come back and face a life of 4800bps dialup?
1) Psychological : Firstly, there's a law of diminishing returns - there's not much point (with voice) in going beyond 300Hz -> 3.4kHz (as I learnt it; I understand the US rolls off at more like 3.0 or 3.2kHz...). 90% of the intelligence in speech is contained in that band, 90% of the stuff outside is just rumble and sillibants.
Secondly, there's the learned psychology - you've become mentally adapted to the restricted bandwidth of phone calls; you're unthinkingly aware that it's not a *real* conversation. I've seen videos of demonstrations of this where a normal voice-quality link was suddenly switched to a full 20kHz quality mono link. People automatically stop scratching themselves, sit up properly, adjust their clothes, and start looking around
2) When compression techniques became available (1950's), there was huge interest in this. As well as the psychological effects, there was also the knowledge that you're really only trading one sort of distortion for another, so why bother - just stick with the distortion that's easiest to implement, is well understood, and well accepted. If you think we've come too much farther with compression techniques, I challenge you to listen to a spoken-word
And be thankful they didn't - any sort of compression adapted for voice fscks up the modulation schemes used for VF modems. Knowing this, would you go back and introduce
What part of "a well regulated militia" do you not understand?
If a link is posted on ./ and no one reads it - does it trigger a /. effect?
while (!asleep()) sheep++
I must ask, why? Why was I getting such a good signal this far away?
Because distance doesn't matter much. All that really matters is the state of the copper between your house and the CO and the copper between the remote CO and endpoint. The stuff inbetween is almost assured to be fiber nowadays, unless it's a really small CO servicing a rural community or something.
In fact, by going cross-continent you pretty well assured a fiber connection.
As far as why it was more responsive though, dunno. Most likely there have been infrastructure upgrades in your area that cleaned up the lines. That's all I can think of.
Nah, hit him with the CAT-5 o' nine tails.
This attack is not a "low bandwidth" attack as such. Yes, the bandwidth consumption *on average* is low, but this is because it comprises of intermittent high-stream data flows.
This type of attack wouldnt be suitable for anyone with a low-speed connection for people who are having ideas.
I would prefer to think of it as an optimised version of a standard DoS attack. Optimised by average bandwidth consumption, and to minimise attacker detection.
That would be the Jason Voorhees Law of Inverse Travel.
The faster you run away from the slow moving attacker the easyer it is for them to catch up with you.
I speculate that by running directly at Jason he will get exponentialy father away, but have been unable to test this in real world conditions.
Well I've wrestled with reality for thirty five years doctor, and I'm happy to say I finally won out over it.
this guy didn't even read the title.
No, you misread the article.
it's a LOW BANDWIDTH attack, it isn't filling the pipe.
It is a low AVERAGE bandwith attack. It works like a strobelight, each pulse saturates the pipe. The pulses themselves must be high bandwidth.
denial of service doesn't always mean it's a flood.
In this case it does mean a flood, but the flood drops to zero 90% of the time. No current firewalls or other defenses currently detect it, and for a variety of reasons it is difficult to detect and block. For one thing such an attempt has a high risk to triggering a false positive and blocking legitimate traffic. Also once an actual attack has been initiated all legitimate traffic on that pipe tends to synchronize with the attack, amplifying it and confusing the situation.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
1. Many routers have queues big enough to absorb short bursts like that; so, there won't be packet loss.
2. Routers could be taught to put acks at the front of the queue (if they don't already).
3. Routers could keep track of the max number of messages in a queue from any given IP. This would identify this DOS attack as well as any other bursty traffic.
An engineer who ran for Congress. http://herbrobinson.us