Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Low Bandwidth Denial of Service Attacks

Posted by CmdrTaco on from the i'm-very-slow dept.

An anonymous reader writes "A paper from Rice University appearing at the 2003 ACM Sigcomm Conference presents a new denial of service attack where the attacker only needs to send at a low rate to shutdown TCP flows. The trick exploits the retransmission timeout mechanism in TCP. By sending small bursts of packets at just the right frequency, the attacker can cause all TCP flows sharing a bottleneck link to simultaneously stop indefinitely. And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts. The presentation, and other presentations from the conference, are available online (live streaming)."

44 of 366 comments (clear)

  1. Oh no! They're attacking... slowly... by mgcsinc · · Score: 3, Interesting

    When I read the title, I imagined a hoard of old geezers, using walkers, coming at me with sticks... but seriously, I don't see how this type of attack could prove as unstoppable or undetectable as claimed; I'm not particularly briefed with the mechanics of Retransmission Time Out, but can the mechanism not be tweaked to avoid these types of attacks without sacrificing all of its benefit?

  2. yay by geighaus · · Score: 4, Funny

    Yay, finally there's use for my trustworthy 2400bod modem :D

    1. Re:yay by cK-Gunslinger · · Score: 4, Funny

      2400 baud? Back in my day, I had to run back and forth to my ISP yelling in binary.

      "101010100010100"

    2. Re:yay by CERDIP · · Score: 4, Funny

      Yeah, and it was upstream both ways, too!

      --
      ---- ---- --- -- --- ------ Keep Cool But Do Not Freeze
    3. Re:yay by KUHurdler · · Score: 5, Funny

      You had "1"s? all I had were zeros

      --
      Fix Your Own TV - RiddledTV.com Avoid the Landfill
  3. Tough paper to read by Brahmastra · · Score: 5, Funny

    This is a tough paper to read. It's going to be a long time before an "Insightful" post.

    1. Re:Tough paper to read by SuDZ · · Score: 4, Funny

      There is already a handfull of people trying to prove you right. :)

      SuDZ

    2. Re:Tough paper to read by tomhudson · · Score: 4, Informative

      Actually, this isn't new. The exact reverse concept was mentioned here as a way to fight spam.

  4. Low bandwith DOSing? by XSforMe · · Score: 5, Funny

    are available online (live streaming).
    This guy is an amateur, wait until he feels the slashdot effect on his server. His next presentation will be entitled, how to knock down any server by just posting an article.

    --
    My other OS is the MCP!
  5. Re:Oh no! They're attacking... slowly... by cK-Gunslinger · · Score: 5, Interesting

    Actually the paper address defense mechanisms, such as randomly varying the time out interval, but it turns out that the performance lost in TCP efficiently nulls any benefits. Interesting paaper.

  6. Dupe story. Mod me sideways... by fuqqer · · Score: 4, Informative

    This is a duplicate storyfrom a looonnnng time ago. May 31 as a matter of fact. This means something considering the amount brain cells I kill with liquor everyday.

  7. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  8. Security through obfuscation by RobertB-DC · · Score: 4, Insightful
    My first thought was, "Oh, great, now the 5kr1pt k1dd1e5 will have another instruction manual."

    Then, I downloaded the .pdf file, and started reading it. My head's still spinning!

    Here's a sample:
    When the number of flows in the system is high, a fraction of flows' retransmission timers will expire sufficiently near time (alpha) such that those flows can partially recover and utilize the available bandwidth in the period from time (alpha) to time (beta), when all flows will again experience an outage.
    And that's one of the more lucid sentences.

    Anyone who would be able to put together an actual attack from this paper probably has enough education to get a real job -- something that doesn't go well with writing malware on the side.

    Of course, now that the paper's being discussed on Slashdot, all bets are off!
    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
    1. Re:Security through obfuscation by Abcd1234 · · Score: 4, Interesting

      When the number of flows in the system is high, a fraction of flows' retransmission timers will expire sufficiently near time (alpha) such that those flows can partially recover and utilize the available bandwidth in the period from time (alpha) to time (beta), when all flows will again experience an outage.

      Bah, the paper isn't that bad. Heck, without reading the whole thing and knowing a little bit about what they discuss (based on the first section), I can understand what you've quoted (if I'm correct, this is from their section on mitigating attacks using randomized RTOs).

      Really, the basic concepts are *incredibly* simple. Send a burst of traffic which causes drops in the short term. This results in the TCP stack backing off and re-transmitting the packet after the defined RTO. So, if you hit the stack with another burst of packets just as the RTO is expiring, the stack will back off again. Lather, rinse, repeat. This requires a lot less traffic, since your bursts are spaced apart (roughly a second per burst, typically, since that's a pretty standard RTO).

      Really, all you need is a basic understanding of TCP flow control to understand the concepts in this paper (which, BTW, they attempt to explain in the first section). The rest of the content (modelling TCP flow rates relative to DoS flow rates, etc) is really just the formal analysis of the basic attack, which certainly isn't important if all you care about is implementing it.

  9. Arrest them! by canajin56 · · Score: 5, Funny

    Good grief, they are giving instructions for how to DoS people! Arrest them using the DMCA! QUICK, BEFORE THE CAT IS OUT OF THE BAG!

    --
    ASCII stupid question, get a stupid ANSI
  10. "Coordinated DDOS" by mcc · · Score: 4, Funny

    [Scene: SCO Group, Utah. Where a "coordinated DDOS" is just beginning..]

    [SUIT 1] Uh, hey, uh.. this one computer here.. it's like the webserver or something?
    [SUIT 2] Yeah, I think, why?
    [SUIT 1] Well, none of the lights on it are on.. that's.. hm.
    [SUIT 2] Oh, yeah, hey, look at that, someone seems to have tripped over the cord and unplugged it. [[Switches it back on]]
    [SUIT 1] Huh.. um.. it doesn't seem to have started up all the way. It's saying something about "fsck" and asking for a password. What does that mean?
    [SUIT 2] Hm, not sure.
    [SUIT 1] Well.. could we get one of the linux guys to come and reboot it? Or something?
    [SUIT 2] Well, we fired all of the linux guys so that we could concentrate all our resources on the lawsuit.
    [SUIT 1] Uh.. shit! Well, I guess I better figure something out.. hmm
    [[ Two days later, after two days of phone calls, SUIT 1 finally finds an INDEPENDENT CONTRACTOR who doesn't just laugh and hang up on him when he says he wants them to come fix a linux server. INDEPENDENT CONTRACTOR starts the linux server up all the way and charges a great deal of money. "Coordinated DDOS" thus ends. ]]

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
    1. Re:"Coordinated DDOS" by Richthofen80 · · Score: 3, Funny

      Step 1: Make fun of SCO
      Step 2: ???
      Step 3: Karma!

      come on guys, that wasn't even very funny.

      --
      Reason, free market capitalism, and individualism
  11. Direct link to paper by Hygelac · · Score: 5, Informative

    Gzipped Postscript file

    --
    -- Grow up and use mutt.
  12. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  13. Re:yay (faker!) by gosand · · Score: 5, Funny
    Yay, finally there's use for my trustworthy 2400bod modem :D

    Anyone who is actually old enough to have used one of these would certainly know how to spell it correctly.

    I call faker! You are just trying to pretend you are some 31337 old geek when you probably have never used anything slower than a DSL line.

    Now get out of here before I whip ya with this here cable with BNC connectors.

    --

    My beliefs do not require that you agree with them.

  14. Re:Where can I read about this? by cK-Gunslinger · · Score: 4, Informative

    Uh, click on the word "paper" in the story, then click on "This paper is available in Adobe PDF format."

    Or Cick Here

  15. better papers this year by carpe_noctem · · Score: 5, Interesting

    Not to rain on the parade here, but I thought there were a number of more interesting papers from sigcomm this year. Namely:

    - Peer-to-Peer Information Retrieval Using Self-Organizing Semantic Overlay Networks
    - Quantum Cryptography in Practice
    - Making Gnutella-like P2P Systems Scalable

    Just some more food for thought....

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  16. Saturation! by pvera · · Score: 4, Interesting

    Back in my days as a satellite network controller for the Army it was common knowledge all it takes to saturate the whole frequency range for the commo payload is a nice 75Khz spike (enough carrier for a FM orderwire signal). People would argue it could not be done since we pretty much owned the 7.25->8.4 GHZ spectrum, but it worked pretty damn well. This is the equivalent of saturating a T1 with a 14.4 modem.

    --
    Pedro
    ----
    The Insomniac Coder
  17. Aha! by Pig+Hogger · · Score: 3, Funny
    So that's what happenning to Joe Jared's Osirusoft black-hole list, and the SPEWS website...

    I call to all arms-bearing full-bloodied americans to rush home, take their trusty shotguuns, and relentlessly hunt down spammers until the last one is gutted and stuffed and put on display in the Smithsonian!!!

  18. Re:Oh no! They're attacking... slowly... by Wolfger · · Score: 4, Funny

    It seems to me that the solution is to have a variable RTO... Kinda like when LaForge had to continually modulate the shield frquency to keep the borg from adapting. :-)

    --
    Nothing to see here. Move along.
  19. Re:I doubt it... by sg_oneill · · Score: 4, Insightful

    I'm pretty certain that my firewall would flag the bursts. If not, seems a simple rule or two would suffice to flag them. I'd like to see this in action. I suspect that it is pretty lame and easily detected.

    My guess is that by Friday night, the kiddies will have thousands of these going. So, I guess I can do see for myself tomorrow

    Ah. sure dude.

    Not sure how a firewall helps with DOS and DDOS attacks however. something floods your pipe, and its flooded, no matter how clever your firewall is. Try reading the article :)

    --
    Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  20. 2400? 2400?!? by burgburgburg · · Score: 4, Funny
    You were lucky.

    In my day, we had to get at 2:00am, clean the road with our tongues, crawl to work on broken glass and when we got there, we had to work with 6 baud modems that were powered by rabid hamsters. And we were glad for them.

  21. Re:yay (faker!) by hey · · Score: 5, Informative

    "baud" is named after J.M.E. Baudot who was French. more info

  22. Re:Down with sexism! .. I mean, IPv4! by Politburo · · Score: 4, Insightful

    Insightful? This is CRAP. It's called TCP/IP. Whether its TCP/IP4 or TCP/IP6, theres still TCP, and that's what this attack targets.

  23. Shhhhhhhh!!! by JoeLinux · · Score: 3, Funny

    Like Microsoft (May Billy Gates live forever) says, "If nobody does any research on it, nobody'll know it exists, right?"

    That was totally irresponsible. They should have not released theat information, and promptly committed Hari-Kiri so the information would never be uttered again on the face of the earth.

  24. Timescale by rf0 · · Score: 4, Funny

    Paper Today
    Proof of Concept by Monday
    Script Kiddies Version by Thursday
    Internet dies on Friday
    All back to normal Monday

    Rus

    --
    Cheap UK and US VPS
  25. Re:Obligatory simpsons quote... by admiralh · · Score: 5, Funny

    When a blimp crashed on a roof a few years ago, I always envisioned the people on the roof looking up and shouting, "Look Out! Walk for your lives!"

    --
    Hopelessly pedantic since 1963.
  26. Summary for non-CS people by Apparition29 · · Score: 4, Interesting

    Essentially this says that all you do is to continually convince TCP that the 'pipe' is full of information and to take counter measures.

    TCP will do this with a preset procedure that was designed to elminate deadlock situation. The problem occurs when everytime the TCP stack trys to resend the information, you can fool it by filling the 'pipe' again. As long as you know when the TCP stack will retry again, you can continue this over and over. Because it does not take a lot of information to fill the 'pipe' for the short time that TCP attempts to resend, you can have a low bandwidth attack.

  27. Worms can potentially exploit this by Rolman · · Score: 5, Interesting

    In the latest Lovsan.* worm outbreak, the worm was programmed to generate a DDoS attack to www.windowsupdate.com, only the attack was not very successful because that domain was just a means of redirection to the real Windows Update site (windowsupdate.microsoft.com), so Microsoft just shut it down and avoided any harm.

    But with this low-bandwidth exploit, which I believe is actually not a new idea, since IE uses a tricky method to increase speed by leaving persistent connections until they time out that could be exploited, now a worm can potentially DoS any website, even dynamically selecting the target from the users' IE favorites and performing the attack very quickly (maybe in a matter of hours) without having to rely it on being a widespread, coordinated DDoS or what the target OS/Server is.

    The paper even claims that in order to protect a server from this type of attack you'd need to sacrifice a good deal of performance, which in most cases is not acceptable so many people can't really afford to implement defenses. Either a clever workaround is made for this exploit, or we have tough times ahead from worm outbreaks and script kiddies.

    --
    - Otaku no naka no otaku, otaking da!!!
    1. Re:Worms can potentially exploit this by IM6100 · · Score: 3, Funny

      The Internet is a consensus-based network, based on protocols which were intended to be robust, but never intended to scale to the degree that they have. Much of the Internet is based on the idea that the people using it could agree to external rules to keep it civil.

      This whole scheme breaks down badly as the Internet and it's protocols are scaled to the 'big mean world'. Spam is the result in the domain of email. Things like this low bandwidth DoS attack are the result in the domain of TCP.

      Problems like this are inherent in the very design of the Internet. Any global network whose rules are coached in terms like 'Request For Comment' is asking for problems.

      These sorts of problems are what is going to force the balkanization of the Internet. Look for the net to slowly migrate toward a group of proprietary ISPs all talking to one another through gateways. It's not far off.

      We can't all get along like this is 1987 and we're all happy Unix-heads at various scientific institutions much longer.

      --
      A Good Intro to NetBS
  28. Undistinguishable? by _iris · · Score: 4, Insightful

    "And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts."

    Except for the bursts of traffic from the same host at a certain frequency.

  29. Duh! by dark-br · · Score: 4, Funny

    You can use a modem to post a slashdot article with a link to the target computer...

  30. Going to be tough to exploit. by Andy+Dodd · · Score: 4, Insightful

    Since it requires accurate timing.

    a) Even if the average bandwidth is low, the attacker will still need the ability to burst those peaks. Remember that in most cases, we pay for peak bandwidth and not average bandwidth. A 56k modem likely won't be able to perform one of these DoS attacks because it doesn't have the peak b/w capability.

    b) The more hops you are away from your target, the more your peaks will get spread out and averaged. Keep in mind that most cable modem head-ends and the cable modems themselves have REALLY long packet queues. This is why upstream saturation is such a problem for cable modems. You can burst all you want, if you're DoSing from a cable modem it'll be averaged out and/or the timing completely FUBARed by the time the packets leave your neighborhood.

    --
    retrorocket.o not found, launch anyway?
  31. Frequency by StormReaver · · Score: 4, Funny

    "By sending small bursts of packets at just the right frequency...."

    That's not a problem. All you have to do is periodically adjust your shield harmonics to keep the attacker from adapting quickly enough to do any harm.

  32. Re:yay (faker!) by Zathrus · · Score: 5, Insightful

    No. Modems stopped increasing in baud at 2400, and then used various encoding methods (trellis, QAM, etc.) to squeeze more than 1 bit/baud. A 9600 bps modem, for instance, averages 4 bits/baud.

    Well. Almost.

    Better quality phone lines can support >2400 baud, but not by much. A 28800 bps connection is running at 3429 baud IIRC, and varying line conditions will reduce that baud rate, thus reducing your effective bps.

    Compression is on top of all of this. It's an entirely different issue, and if you transfer straight text over a 28.8k modem you can get considerably more than 28.8kbps out of the modem.

    You got the broad stuff right though, which is a lot more than most people grok.

  33. Re:Just what we need... by sloth+jr · · Score: 3, Insightful
    This is an architectural "flaw" of TCP (the authors seem to conclude that its retransmission mechanism is sound and necessary, but can't be effectively protected against for this DoS -for the sake of argument, let's call it a flaw) - whom would you propose "fix" the problem before the vulnerability is widely known?

    Since the architectural flaw seems to be in the retransmission recovery sequences of TCP, eg, it can be spoofed in a way undistinguishable from normal retransmission recovery sequences, actual source of the packet can't be used as a deterrent to attacks.

    The attack seems to exploit the mechanisms of congestion flow itself, so larger window sizes or in-order deliver of packets (I presume this is what you mean by sequenced packets) will not be sufficient to avoid this attack. The paper does examine several variants of TCP, with similarly glum results.

    In the scenario illustrated by the paper, TCP enters its exponential backup phase, throttling the window to a single packet size and doubles the retransmission timeout (which starts off at 1 second). The paper seems to be saying that by timing the attacking responses to closely match that of the sender's RTO, we can cause the connection to effectively remain in exponential backoff.

    To my thinking this would affect throughput for only the attacker's TCP flow, but the authors say that ALL TCP flows can be affected. I'm just not smart enough to understand why all TCP flows can be induced into the same exponential backoff phase.

    sloth jr

  34. Re:Dupe! Or not... by Abcd1234 · · Score: 3, Insightful

    Too bad this is a *completely different attack*! Jeez, read the friggin' paper, people. The paper you reference talks about a DoS which exploits data structures commonly used in TCP stacks. The DoS in the paper referenced for this article exploits TCP congestion control algorithms to "fool" the TCP stack into thinking the pipe is full when it really isn't by sending carefully timed packet bursts.

  35. Learn How To Protect Yourself!! READ THIS!! by CoyoteGuy · · Score: 4, Funny



    Just set the evil bit, and all is well. ;)

    --
    Slashdot.. Land of nerds, trolls, and FlameBait..
  36. Re:yay (faker!) by Zathrus · · Score: 3, Interesting

    The phone system has an 8 KHz bandwidth... I think it's something like ~150 Hz - ~8000 Hz. At least that's the spec. Some very old lines aren't that good, some newer lines are far better.

    And there's a boatload of various technologies (loading coils for example) that are designed around maintaining those frequencies at the cost of all others, which causes problems with high speed modems and utterly breaks DSL.

    It's ok that your data is from the 1990s... the phone system was designed in the 1930s and hasn't changed dramatically since :)

    I had the pleasure of seeing the inside of a CO in downtown Atlanta in the early 90s. From the battery room with 45 gallon drums of baking soda in case of an acid spill, to the entryway with cables varying from the thickness of your arm (old, old, old copper) to less than a pencil (fiber), to 40 foot by 3 foot by 6 foot long switches that were being replaced by a pair of boxes the size of Coke machines. All an interesting mish mash of old and new technologies and all working together. At least they'd gotten rid of the mechanical switches :) (although that's not true world wide...). Interesting stuff.