Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Low Bandwidth Denial of Service Attacks

Posted by CmdrTaco on from the i'm-very-slow dept.

An anonymous reader writes "A paper from Rice University appearing at the 2003 ACM Sigcomm Conference presents a new denial of service attack where the attacker only needs to send at a low rate to shutdown TCP flows. The trick exploits the retransmission timeout mechanism in TCP. By sending small bursts of packets at just the right frequency, the attacker can cause all TCP flows sharing a bottleneck link to simultaneously stop indefinitely. And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts. The presentation, and other presentations from the conference, are available online (live streaming)."

34 of 366 comments (clear)

  1. yay by geighaus · · Score: 4, Funny

    Yay, finally there's use for my trustworthy 2400bod modem :D

    1. Re:yay by cK-Gunslinger · · Score: 4, Funny

      2400 baud? Back in my day, I had to run back and forth to my ISP yelling in binary.

      "101010100010100"

    2. Re:yay by CERDIP · · Score: 4, Funny

      Yeah, and it was upstream both ways, too!

      --
      ---- ---- --- -- --- ------ Keep Cool But Do Not Freeze
    3. Re:yay by KUHurdler · · Score: 5, Funny

      You had "1"s? all I had were zeros

      --
      Fix Your Own TV - RiddledTV.com Avoid the Landfill
  2. Tough paper to read by Brahmastra · · Score: 5, Funny

    This is a tough paper to read. It's going to be a long time before an "Insightful" post.

    1. Re:Tough paper to read by SuDZ · · Score: 4, Funny

      There is already a handfull of people trying to prove you right. :)

      SuDZ

    2. Re:Tough paper to read by tomhudson · · Score: 4, Informative

      Actually, this isn't new. The exact reverse concept was mentioned here as a way to fight spam.

  3. Low bandwith DOSing? by XSforMe · · Score: 5, Funny

    are available online (live streaming).
    This guy is an amateur, wait until he feels the slashdot effect on his server. His next presentation will be entitled, how to knock down any server by just posting an article.

    --
    My other OS is the MCP!
  4. Re:Oh no! They're attacking... slowly... by cK-Gunslinger · · Score: 5, Interesting

    Actually the paper address defense mechanisms, such as randomly varying the time out interval, but it turns out that the performance lost in TCP efficiently nulls any benefits. Interesting paaper.

  5. Dupe story. Mod me sideways... by fuqqer · · Score: 4, Informative

    This is a duplicate storyfrom a looonnnng time ago. May 31 as a matter of fact. This means something considering the amount brain cells I kill with liquor everyday.

  6. Security through obfuscation by RobertB-DC · · Score: 4, Insightful
    My first thought was, "Oh, great, now the 5kr1pt k1dd1e5 will have another instruction manual."

    Then, I downloaded the .pdf file, and started reading it. My head's still spinning!

    Here's a sample:
    When the number of flows in the system is high, a fraction of flows' retransmission timers will expire sufficiently near time (alpha) such that those flows can partially recover and utilize the available bandwidth in the period from time (alpha) to time (beta), when all flows will again experience an outage.
    And that's one of the more lucid sentences.

    Anyone who would be able to put together an actual attack from this paper probably has enough education to get a real job -- something that doesn't go well with writing malware on the side.

    Of course, now that the paper's being discussed on Slashdot, all bets are off!
    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
    1. Re:Security through obfuscation by Abcd1234 · · Score: 4, Interesting

      When the number of flows in the system is high, a fraction of flows' retransmission timers will expire sufficiently near time (alpha) such that those flows can partially recover and utilize the available bandwidth in the period from time (alpha) to time (beta), when all flows will again experience an outage.

      Bah, the paper isn't that bad. Heck, without reading the whole thing and knowing a little bit about what they discuss (based on the first section), I can understand what you've quoted (if I'm correct, this is from their section on mitigating attacks using randomized RTOs).

      Really, the basic concepts are *incredibly* simple. Send a burst of traffic which causes drops in the short term. This results in the TCP stack backing off and re-transmitting the packet after the defined RTO. So, if you hit the stack with another burst of packets just as the RTO is expiring, the stack will back off again. Lather, rinse, repeat. This requires a lot less traffic, since your bursts are spaced apart (roughly a second per burst, typically, since that's a pretty standard RTO).

      Really, all you need is a basic understanding of TCP flow control to understand the concepts in this paper (which, BTW, they attempt to explain in the first section). The rest of the content (modelling TCP flow rates relative to DoS flow rates, etc) is really just the formal analysis of the basic attack, which certainly isn't important if all you care about is implementing it.

  7. Arrest them! by canajin56 · · Score: 5, Funny

    Good grief, they are giving instructions for how to DoS people! Arrest them using the DMCA! QUICK, BEFORE THE CAT IS OUT OF THE BAG!

    --
    ASCII stupid question, get a stupid ANSI
  8. "Coordinated DDOS" by mcc · · Score: 4, Funny

    [Scene: SCO Group, Utah. Where a "coordinated DDOS" is just beginning..]

    [SUIT 1] Uh, hey, uh.. this one computer here.. it's like the webserver or something?
    [SUIT 2] Yeah, I think, why?
    [SUIT 1] Well, none of the lights on it are on.. that's.. hm.
    [SUIT 2] Oh, yeah, hey, look at that, someone seems to have tripped over the cord and unplugged it. [[Switches it back on]]
    [SUIT 1] Huh.. um.. it doesn't seem to have started up all the way. It's saying something about "fsck" and asking for a password. What does that mean?
    [SUIT 2] Hm, not sure.
    [SUIT 1] Well.. could we get one of the linux guys to come and reboot it? Or something?
    [SUIT 2] Well, we fired all of the linux guys so that we could concentrate all our resources on the lawsuit.
    [SUIT 1] Uh.. shit! Well, I guess I better figure something out.. hmm
    [[ Two days later, after two days of phone calls, SUIT 1 finally finds an INDEPENDENT CONTRACTOR who doesn't just laugh and hang up on him when he says he wants them to come fix a linux server. INDEPENDENT CONTRACTOR starts the linux server up all the way and charges a great deal of money. "Coordinated DDOS" thus ends. ]]

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  9. Direct link to paper by Hygelac · · Score: 5, Informative

    Gzipped Postscript file

    --
    -- Grow up and use mutt.
  10. Re:yay (faker!) by gosand · · Score: 5, Funny
    Yay, finally there's use for my trustworthy 2400bod modem :D

    Anyone who is actually old enough to have used one of these would certainly know how to spell it correctly.

    I call faker! You are just trying to pretend you are some 31337 old geek when you probably have never used anything slower than a DSL line.

    Now get out of here before I whip ya with this here cable with BNC connectors.

    --

    My beliefs do not require that you agree with them.

  11. Re:Where can I read about this? by cK-Gunslinger · · Score: 4, Informative

    Uh, click on the word "paper" in the story, then click on "This paper is available in Adobe PDF format."

    Or Cick Here

  12. better papers this year by carpe_noctem · · Score: 5, Interesting

    Not to rain on the parade here, but I thought there were a number of more interesting papers from sigcomm this year. Namely:

    - Peer-to-Peer Information Retrieval Using Self-Organizing Semantic Overlay Networks
    - Quantum Cryptography in Practice
    - Making Gnutella-like P2P Systems Scalable

    Just some more food for thought....

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  13. Saturation! by pvera · · Score: 4, Interesting

    Back in my days as a satellite network controller for the Army it was common knowledge all it takes to saturate the whole frequency range for the commo payload is a nice 75Khz spike (enough carrier for a FM orderwire signal). People would argue it could not be done since we pretty much owned the 7.25->8.4 GHZ spectrum, but it worked pretty damn well. This is the equivalent of saturating a T1 with a 14.4 modem.

    --
    Pedro
    ----
    The Insomniac Coder
  14. Re:Oh no! They're attacking... slowly... by Wolfger · · Score: 4, Funny

    It seems to me that the solution is to have a variable RTO... Kinda like when LaForge had to continually modulate the shield frquency to keep the borg from adapting. :-)

    --
    Nothing to see here. Move along.
  15. Re:I doubt it... by sg_oneill · · Score: 4, Insightful

    I'm pretty certain that my firewall would flag the bursts. If not, seems a simple rule or two would suffice to flag them. I'd like to see this in action. I suspect that it is pretty lame and easily detected.

    My guess is that by Friday night, the kiddies will have thousands of these going. So, I guess I can do see for myself tomorrow

    Ah. sure dude.

    Not sure how a firewall helps with DOS and DDOS attacks however. something floods your pipe, and its flooded, no matter how clever your firewall is. Try reading the article :)

    --
    Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  16. 2400? 2400?!? by burgburgburg · · Score: 4, Funny
    You were lucky.

    In my day, we had to get at 2:00am, clean the road with our tongues, crawl to work on broken glass and when we got there, we had to work with 6 baud modems that were powered by rabid hamsters. And we were glad for them.

  17. Re:yay (faker!) by hey · · Score: 5, Informative

    "baud" is named after J.M.E. Baudot who was French. more info

  18. Re:Down with sexism! .. I mean, IPv4! by Politburo · · Score: 4, Insightful

    Insightful? This is CRAP. It's called TCP/IP. Whether its TCP/IP4 or TCP/IP6, theres still TCP, and that's what this attack targets.

  19. Timescale by rf0 · · Score: 4, Funny

    Paper Today
    Proof of Concept by Monday
    Script Kiddies Version by Thursday
    Internet dies on Friday
    All back to normal Monday

    Rus

    --
    Cheap UK and US VPS
  20. Re:Obligatory simpsons quote... by admiralh · · Score: 5, Funny

    When a blimp crashed on a roof a few years ago, I always envisioned the people on the roof looking up and shouting, "Look Out! Walk for your lives!"

    --
    Hopelessly pedantic since 1963.
  21. Summary for non-CS people by Apparition29 · · Score: 4, Interesting

    Essentially this says that all you do is to continually convince TCP that the 'pipe' is full of information and to take counter measures.

    TCP will do this with a preset procedure that was designed to elminate deadlock situation. The problem occurs when everytime the TCP stack trys to resend the information, you can fool it by filling the 'pipe' again. As long as you know when the TCP stack will retry again, you can continue this over and over. Because it does not take a lot of information to fill the 'pipe' for the short time that TCP attempts to resend, you can have a low bandwidth attack.

  22. Worms can potentially exploit this by Rolman · · Score: 5, Interesting

    In the latest Lovsan.* worm outbreak, the worm was programmed to generate a DDoS attack to www.windowsupdate.com, only the attack was not very successful because that domain was just a means of redirection to the real Windows Update site (windowsupdate.microsoft.com), so Microsoft just shut it down and avoided any harm.

    But with this low-bandwidth exploit, which I believe is actually not a new idea, since IE uses a tricky method to increase speed by leaving persistent connections until they time out that could be exploited, now a worm can potentially DoS any website, even dynamically selecting the target from the users' IE favorites and performing the attack very quickly (maybe in a matter of hours) without having to rely it on being a widespread, coordinated DDoS or what the target OS/Server is.

    The paper even claims that in order to protect a server from this type of attack you'd need to sacrifice a good deal of performance, which in most cases is not acceptable so many people can't really afford to implement defenses. Either a clever workaround is made for this exploit, or we have tough times ahead from worm outbreaks and script kiddies.

    --
    - Otaku no naka no otaku, otaking da!!!
  23. Undistinguishable? by _iris · · Score: 4, Insightful

    "And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts."

    Except for the bursts of traffic from the same host at a certain frequency.

  24. Duh! by dark-br · · Score: 4, Funny

    You can use a modem to post a slashdot article with a link to the target computer...

  25. Going to be tough to exploit. by Andy+Dodd · · Score: 4, Insightful

    Since it requires accurate timing.

    a) Even if the average bandwidth is low, the attacker will still need the ability to burst those peaks. Remember that in most cases, we pay for peak bandwidth and not average bandwidth. A 56k modem likely won't be able to perform one of these DoS attacks because it doesn't have the peak b/w capability.

    b) The more hops you are away from your target, the more your peaks will get spread out and averaged. Keep in mind that most cable modem head-ends and the cable modems themselves have REALLY long packet queues. This is why upstream saturation is such a problem for cable modems. You can burst all you want, if you're DoSing from a cable modem it'll be averaged out and/or the timing completely FUBARed by the time the packets leave your neighborhood.

    --
    retrorocket.o not found, launch anyway?
  26. Frequency by StormReaver · · Score: 4, Funny

    "By sending small bursts of packets at just the right frequency...."

    That's not a problem. All you have to do is periodically adjust your shield harmonics to keep the attacker from adapting quickly enough to do any harm.

  27. Re:yay (faker!) by Zathrus · · Score: 5, Insightful

    No. Modems stopped increasing in baud at 2400, and then used various encoding methods (trellis, QAM, etc.) to squeeze more than 1 bit/baud. A 9600 bps modem, for instance, averages 4 bits/baud.

    Well. Almost.

    Better quality phone lines can support >2400 baud, but not by much. A 28800 bps connection is running at 3429 baud IIRC, and varying line conditions will reduce that baud rate, thus reducing your effective bps.

    Compression is on top of all of this. It's an entirely different issue, and if you transfer straight text over a 28.8k modem you can get considerably more than 28.8kbps out of the modem.

    You got the broad stuff right though, which is a lot more than most people grok.

  28. Learn How To Protect Yourself!! READ THIS!! by CoyoteGuy · · Score: 4, Funny



    Just set the evil bit, and all is well. ;)

    --
    Slashdot.. Land of nerds, trolls, and FlameBait..