Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Low Bandwidth Denial of Service Attacks

Posted by CmdrTaco on from the i'm-very-slow dept.

An anonymous reader writes "A paper from Rice University appearing at the 2003 ACM Sigcomm Conference presents a new denial of service attack where the attacker only needs to send at a low rate to shutdown TCP flows. The trick exploits the retransmission timeout mechanism in TCP. By sending small bursts of packets at just the right frequency, the attacker can cause all TCP flows sharing a bottleneck link to simultaneously stop indefinitely. And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts. The presentation, and other presentations from the conference, are available online (live streaming)."

12 of 366 comments (clear)

  1. Tough paper to read by Brahmastra · · Score: 5, Funny

    This is a tough paper to read. It's going to be a long time before an "Insightful" post.

  2. Low bandwith DOSing? by XSforMe · · Score: 5, Funny

    are available online (live streaming).
    This guy is an amateur, wait until he feels the slashdot effect on his server. His next presentation will be entitled, how to knock down any server by just posting an article.

    --
    My other OS is the MCP!
  3. Re:Oh no! They're attacking... slowly... by cK-Gunslinger · · Score: 5, Interesting

    Actually the paper address defense mechanisms, such as randomly varying the time out interval, but it turns out that the performance lost in TCP efficiently nulls any benefits. Interesting paaper.

  4. Arrest them! by canajin56 · · Score: 5, Funny

    Good grief, they are giving instructions for how to DoS people! Arrest them using the DMCA! QUICK, BEFORE THE CAT IS OUT OF THE BAG!

    --
    ASCII stupid question, get a stupid ANSI
  5. Direct link to paper by Hygelac · · Score: 5, Informative

    Gzipped Postscript file

    --
    -- Grow up and use mutt.
  6. Re:yay (faker!) by gosand · · Score: 5, Funny
    Yay, finally there's use for my trustworthy 2400bod modem :D

    Anyone who is actually old enough to have used one of these would certainly know how to spell it correctly.

    I call faker! You are just trying to pretend you are some 31337 old geek when you probably have never used anything slower than a DSL line.

    Now get out of here before I whip ya with this here cable with BNC connectors.

    --

    My beliefs do not require that you agree with them.

  7. better papers this year by carpe_noctem · · Score: 5, Interesting

    Not to rain on the parade here, but I thought there were a number of more interesting papers from sigcomm this year. Namely:

    - Peer-to-Peer Information Retrieval Using Self-Organizing Semantic Overlay Networks
    - Quantum Cryptography in Practice
    - Making Gnutella-like P2P Systems Scalable

    Just some more food for thought....

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  8. Re:yay (faker!) by hey · · Score: 5, Informative

    "baud" is named after J.M.E. Baudot who was French. more info

  9. Re:Obligatory simpsons quote... by admiralh · · Score: 5, Funny

    When a blimp crashed on a roof a few years ago, I always envisioned the people on the roof looking up and shouting, "Look Out! Walk for your lives!"

    --
    Hopelessly pedantic since 1963.
  10. Worms can potentially exploit this by Rolman · · Score: 5, Interesting

    In the latest Lovsan.* worm outbreak, the worm was programmed to generate a DDoS attack to www.windowsupdate.com, only the attack was not very successful because that domain was just a means of redirection to the real Windows Update site (windowsupdate.microsoft.com), so Microsoft just shut it down and avoided any harm.

    But with this low-bandwidth exploit, which I believe is actually not a new idea, since IE uses a tricky method to increase speed by leaving persistent connections until they time out that could be exploited, now a worm can potentially DoS any website, even dynamically selecting the target from the users' IE favorites and performing the attack very quickly (maybe in a matter of hours) without having to rely it on being a widespread, coordinated DDoS or what the target OS/Server is.

    The paper even claims that in order to protect a server from this type of attack you'd need to sacrifice a good deal of performance, which in most cases is not acceptable so many people can't really afford to implement defenses. Either a clever workaround is made for this exploit, or we have tough times ahead from worm outbreaks and script kiddies.

    --
    - Otaku no naka no otaku, otaking da!!!
  11. Re:yay by KUHurdler · · Score: 5, Funny

    You had "1"s? all I had were zeros

    --
    Fix Your Own TV - RiddledTV.com Avoid the Landfill
  12. Re:yay (faker!) by Zathrus · · Score: 5, Insightful

    No. Modems stopped increasing in baud at 2400, and then used various encoding methods (trellis, QAM, etc.) to squeeze more than 1 bit/baud. A 9600 bps modem, for instance, averages 4 bits/baud.

    Well. Almost.

    Better quality phone lines can support >2400 baud, but not by much. A 28800 bps connection is running at 3429 baud IIRC, and varying line conditions will reduce that baud rate, thus reducing your effective bps.

    Compression is on top of all of this. It's an entirely different issue, and if you transfer straight text over a 28.8k modem you can get considerably more than 28.8kbps out of the modem.

    You got the broad stuff right though, which is a lot more than most people grok.