RE: [tcpm] DoS attack from misbehaving receivers
Christian Huitema <huitema@windows.microsoft.com> Thu, 11 January 2007 21:45 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H57kF-0000Te-H5; Thu, 11 Jan 2007 16:45:59 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H57kD-0000SJ-SD for tcpm@ietf.org; Thu, 11 Jan 2007 16:45:57 -0500
Received: from mail3.microsoft.com ([131.107.115.214] helo=smtp.microsoft.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H57k9-00050w-Uj for tcpm@ietf.org; Thu, 11 Jan 2007 16:45:57 -0500
Received: from tk1-exhub-c103.redmond.corp.microsoft.com (157.56.116.114) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.0.685.24; Thu, 11 Jan 2007 13:45:53 -0800
Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com (157.54.69.169) by tk1-exhub-c103.redmond.corp.microsoft.com (157.56.116.114) with Microsoft SMTP Server id 8.0.685.24; Thu, 11 Jan 2007 13:45:52 -0800
Received: from WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.25]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.2825); Thu, 11 Jan 2007 13:45:51 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] DoS attack from misbehaving receivers
Date: Thu, 11 Jan 2007 13:45:13 -0800
Message-ID: <70C6EFCDFC8AAD418EF7063CD132D064033D11F3@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <20070111212732.GM2944@loompa.cs.umd.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
thread-topic: [tcpm] DoS attack from misbehaving receivers
thread-index: Acc1x2Z4n0KpUVD1QUii7KCnoXdMJwAAWAoA
References: <20070111202843.GL2944@loompa.cs.umd.edu><54AD0F12E08D1541B826BE97C98F99F1EE6E4E@NT-SJCA-0751.brcm.ad.broadcom.com> <20070111212732.GM2944@loompa.cs.umd.edu>
From: Christian Huitema <huitema@windows.microsoft.com>
To: Rob Sherwood <capveg@cs.umd.edu>, Caitlin Bestler <caitlinb@broadcom.com>
X-OriginalArrivalTime: 11 Jan 2007 21:45:51.0548 (UTC) FILETIME=[DCFAEFC0:01C735C9]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2409bba43e9c8d580670fda8b695204a
Cc: david.malone@nuim.ie, tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
> > But is it not correct that the same attack could be launched > > from a botnet just as effectively even without faking acks? > > Until typical home computers are more secure from being drafted > > into a botnet is there a real benefit from this counter-measure? > > A botnet of sufficient size, maybe. An open question (read: subject of > my current research) is how much traffic is required to overcome > Internet > backbone links. The reason for concern with the OptAck attack is that > the amplification factors are large (~1600x and higher from the paper), > which reduces the size of the botnet required to cause significant > damage. I have witnessed distributed DOS attacks generating several Gbps of traffic, and that was a couple of years ago. I have also witnessed DOS attacks implemented by simply opening multiple TCP connections. The attack software started several threads, and in each thread a loop would keep loading a particular web page. That actually gives a lot of amplification, since the size of the HTTP request is only a fraction of the size of the response. There was no attempt to hide the origin of the attack, spoof the IP address, hack the TCP stack, or any of that. These particular attacks were trying to bring down a web site, but similar attacks could easily target a particular link in the infrastructure. -- Christian Huitema _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] DoS attack from misbehaving receivers Stephen Hemminger
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Christian Huitema
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- Re: [tcpm] DoS attack from misbehaving receivers John Heffner
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers David Malone
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman