Denial of Service via Algorithmic Complexity 257
dss902 writes "We (Department of Computer Science, Rice University) present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures... Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks."
Same Content / Two Links (Score:5, Informative)
Re:Same Content / Two Links (Score:5, Funny)
Denial of service? (Score:5, Funny)
Re:Denial of service? (Score:3, Insightful)
Please excuse any bad grammar/spelling, I am quite drunk atm.
Re:Denial of service? (Score:5, Funny)
I've seen this before (Score:5, Interesting)
Re:I've seen this before (Score:5, Informative)
Re:I've seen this before (Score:5, Interesting)
Problem: remove excess slashes from a URL, so
Original Algorithm:
If an additional slash is found, copy the remainder of the string over. So
a///b => a//b => a/b
This copying, an inner loop, makes the algorithm O(n^2).
New algorithm:
Have 2 pointers, and copy from one to the other. One pointer skips additional slashes. At the end, throw on a "\0" to terminate the string.
a///b => a/b
The second pointer has a loop to skip over additional slashes, and each slash is only visited once. Thus, the algorithm is O(n).
Cool stuff
a///...{500 slashes later}...///b
It could really do some damage to the first algorithm.
Re:I've seen this before (Score:4, Interesting)
The algorithm looks something like:
offset = 0
for i = 2 to n do
if a[i-1] = '/' and a[i] = '/' then
offset = offset + 1
else
a[i-offset] = a[i]
end if
end for
It saves you the trouble of having to manage the memory containing the cleaned-up string.
Standard Coding Procedures (Score:3, Insightful)
Actually this is one of the fundamental methodologies used in software development, dating back to the early Slow-Machineazoic period
In theory it goes like this
1. On paper, design the flow of data, what is hoped to be accomplished.
2. Pr
Re:Standard Coding Procedures (Score:2)
Re:I've seen this before (Score:2)
And for those talking about bean counters, Apache isn't even a commercial app.... Whose bean counters are working in open source?
No, these are pure geeks who can't code either...
Sloppyness is a geek attribute along with cleverness and obtuseness...
duh... (Score:5, Funny)
impressive... (Score:4, Funny)
Re:impressive... (Score:4, Funny)
Re:impressive... (Score:3, Funny)
Uh oh! (Score:4, Funny)
Bring on the MathML.
Re:Uh oh! (Score:2)
It still is just about as funny as an article about how to DOS someone being shown here...
sham report! (Score:3, Funny)
The project page (the one with the details) (Score:5, Informative)
DOS attack (Score:5, Funny)
Anyone got mirrors yet?
Mirror mirror on the wall (Score:5, Informative)
This [darkfire.net] is the HTML version (with lots of images not mirrored, sorry) and this [darkfire.net] is the PDF version.
If the PDF starts hogging the pipe, don't be surprised if it gets symlinked to the HTML version.
Re:Mirror mirror on the wall (Score:2)
please mirror if you can.
Re:DOS attack (Score:3, Interesting)
I have often wondered if the
Re:DOS attack (Score:2)
How about using apache's mod_rewrite capability to redirect slashdot users to something a little more interesting rather than flooding the site?
RewriteCond %{HTTP_REFERER} ^slashdot.*
RewriteRule ^/$
(don't jump on me if I got the syntax wrong, I only discovered mod_rewrite a day or two ago)
N.
Is it just me..? (Score:4, Funny)
Re:Is it just me..? (Score:5, Insightful)
If you RTFA you'd see they also present ways in which to AVOID this problem, and that's the real goal.
Re:Is it just me..? (Score:2)
Actually, I don't think the Perl or Python developersare going to be suing over these bug advisories anytime soon.
If any corporate user of Python wants to sue the Python developers for taking an open source attitude towards security bugfixing (i.e. discussing the problem on public mailing lists)... well, t
Re:Is it just me..? (Score:3, Insightful)
Step one complete. Now they're soliciting interaction on developing a solution.
Re:Is it just me..? (Score:3, Insightful)
Re:Is it just me..? (Score:5, Insightful)
With this information it shouldn't be too big of a deal to redesign the software to not be vulnerable anymore.
What they did is little more than algorithm analysis. They looked at all the different links in the chain then merely decided which algorithms were the weakest links and exploited them.
This is good because we can now fix those. Robustness abound.
Yes, It's Just you (Score:1)
Are people who work at Ford allowed to test whether your car can be hotwired?
If not well, the price of used Fords just fell by 75%
YES. (Score:3, Insightful)
I understand your question, but it, IMO, is like asking if "the people" should be free to speak about the bad things their King does, and wouldn't that just be bad for the Kingdom?
Re:Is it just me..? (Score:3, Insightful)
Most certainly yes. Others are studying it with purely malevolent intentions. The incentive of the University is benevolent. Carefully consider the consequences of not having public knowledge reflecting the capabilities of those with malicious intentions.
The onus is now upon the vendors to adhere to adequate standards, rather than resting upon public c
Re:Is it just me..? (Score:2)
Because Uiversities are where this sort of research shoud go on and solutions found.
I find it quite refreshing that this happened in a house of learning rather than "on the street".
Re:Is it just me..? (Score:2)
Re:Is it just me..? (Score:2)
What, would you have preferred that it appeared on an obscure malicious cracker's board? It's better that academia finds it before irreponsible people who would only use it to take down web sites.
And speaking of DDOS, it looks like the RIAA's site [riaa.org] is down again.
Re:Is it just me..? (Score:3)
This is a far cry from the implied 'student' moniker everyone has been going on about 'round here.
These are exactly the sort of people that should be looking at security problems. Especially when their findings include ways to avoid the problem, as their paper did.
It's not a Bro (Score:4, Funny)
Site is DoSed -- Abstract & Intro (Score:4, Informative)
Scott A. Crosby Dan S. Wallach
scrosby_at_cs.rice.edu dwallach*cs.rice.edu
Department of Computer Science, Rice University
Abstract:
We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures. Frequently used data structures have ``average-case'' expected running time that's far more efficient than the worst case. For example, both binary trees and hash tables can degenerate to linked lists with carefully chosen input. We show how an attacker can effectively compute such input, and we demonstrate attacks against the hash table implementations in two versions of Perl, the Squid web proxy, and the Bro intrusion detection system. Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.
Introduction
When analyzing the running time of algorithms, a common technique is to differentiate best-case, common-case, and worst-cast performance. For example, an unbalanced binary tree will be expected to consume O(n log n) time to insert n elements, but if the elements happen to be sorted beforehand, then the tree would degenerate to a linked list, and it would take O(n^2) time to insert all n elements. Similarly, a hash table would be expected to consume O(n) time to insert n elements. However, if each element hashes to the same bucket, the hash table will also degenerate to a linked list, and it will take O(n^2) time to insert n elements.
While balanced tree algorithms, such as red-black trees [11], AVL trees [1], and treaps [17] can avoid predictable input which causes worst-case behavior, and universal hash functions [5] can be used to make hash functions that are not predictable by an attacker, many common applications use simpler algorithms. If an attacker can control and predict the inputs being used by these algorithms, then the attacker may be able to induce the worst-case execution time, effectively causing a denial-of-service (DoS) attack.
Such algorithmic DoS attacks have much in common with other low-bandwidth DoS attacks, such as stack smashing [2] or the ping-of-death 1, wherein a relatively short message causes an Internet server to crash or misbehave. While a variety of techniques can be used to address these DoS attacks, common industrial practice still allows bugs like these to appear in commercial products. However, unlike stack smashing, attacks that target poorly chosen algorithms can function even against code written in safe languages. One early example was discovered by Garfinkel [10], who described nested HTML tables that induced the browser to perform super-linear work to derive the table's on-screen layout. More recently, Stubblefield and Dean [8] described attacks against SSL servers, where a malicious web client can coerce a web server into performing expensive RSA decryption operations. They suggested the use of crypto puzzles [9] to force clients to perform more work before the server does its work. Provably requiring the client to consume CPU time may make sense for fundamentally expensive operations like RSA decryption, but it seems out of place when the expensive operation (e.g., HTML table layout) is only expensive because a poor algorithm was used in the system. Another recent paper [16] is a toolkit that allows programmers to inject sensors and actuators into a program. When a resource abuse is detected an appropriate action is taken.
This paper focuses on DoS attacks that may be mounted from across a network, targeting servers with the data that they might observe and store in a hash table as part of their normal operation. Section 2 details how hash table
I hope this isn't news to anyone... (Score:5, Informative)
I don't know if anyone has *published* this before, but it's certainly not new.
Re:I hope this isn't news to anyone... (Score:5, Insightful)
That is something that the paper said, but they also gave specific examples of software that was vulnerable to that kind of attack. They determined that the Bro intrusion detection was highly vulnerable to this kind of attack, and mentioned different versions of Perl and Python that also experienced a significant perfrormance decrease given their input specifically made to bring down systems that use hash tables.
I don't know if anyone has *published* this before, but it's certainly not new.
It has been done. They mentioned similar related work where it was found that input to quicksort makes it take O(n^2) time instead of O(n lg n) and a that there was a vulnerability in the hash tables of the Linux route-table cache. The concept isn't new, it's just that different software has been found to have this sort of vulnerability.
And I just couldn't help but laugh at the irony of their PDF file on DOS attack prevention being the victim of the /. effect.
Re:I hope this isn't news to anyone... (Score:2)
Re:I hope this isn't news to anyone... (Score:2)
Re:I hope this isn't news to anyone... (Score:3, Informative)
Re:I hope this isn't news to anyone... (Score:2)
The paper goes beyond that. It gives specific examples of such hash tables in linux systems.
Re:I hope this isn't news to anyone... (Score:2)
Easy fix:
float x = 3.14159;
float y = (float)1/2 * (float)x;
printf("y = %lf\n", y);
y = 1.570795
Re:I hope this isn't news to anyone... (Score:4, Funny)
It's publicised. I was warned about stuff like this in a 2nd year CS class I took several months ago. But I did *not* imagine that it could be used to take down web servers.
Re:I hope this isn't news to anyone... (Score:2)
Wish people would stop using hash tables altoghether.
I've never used one in a real program.
Re:I hope this isn't news to anyone... (Score:2)
That's like saying, "I wish people would stop using [lists|arrays|trees] where one want good performance."
Re:I hope this isn't news to anyone... (Score:2)
I mean, you'd have to be really unlucky to get a large number of hash collisions, wouldn't you?
Re:I hope this isn't news to anyone... (Score:3, Informative)
If you use a strong keyed hash function (eg, keyed
Re:I hope this isn't news to anyone... (Score:2)
Your uniform-access-time machine will have memory which is the same speed as the equally sized memory of a nonuniform-access-time machine. Accessing one word out of 2^n requires O(n) gate delays; this is why Intel uses small L1 caches.
(Technically, it also requires O(2^(n/2)) propagation time, provided that we assume a two dimensional layout; but that usually turns out to be unimportant.)
Re:I hope this isn't news to anyone... (Score:2)
operational parameter) rather than "k" (which
makes clear that the value in question is a
constant, and therefore O(k) ~ O(1)) is misleading.
Unless, of course, you are using a machine with
a variable address length.
Re:I hope this isn't news to anyone... (Score:2)
But if you have the option of choosing your hardware, you can buy memory which is smaller and faster; and if your hardware has a caching subsystem, you certainly gain from using a smaller address space.
Re:I hope this isn't news to anyone... (Score:5, Interesting)
The issue is that even the best hash functions perform worse under very specific circumstances, i.e. high numbers of hash collisions. An earlier poster mentioned quicksort; the quicksort algorithm, while being the most (or one of the most) efficient sorting algorithms, is extremely inefficient if given an ordered set already. Obviously, a check can be added to make sure you are not sorting an already sorted algorithm.
Presumably, the same could be done for hash functions, in which, by having a bunch of different hash functions available, the software could revert to an alternate if the primary function appeared to be generating way too many collisions. Just because people hadn't thought about this much or designed software to cope doesn't mean it would be very hard to prevent against.
Re:I hope this isn't news to anyone... (Score:2)
That depends on how you pick your pivots. If you choose them randomly it's a lot harder to get the worst case, so long as an attacker can't duplicate your random number sequence.
Still, there are sort algos that are O(nlogn) regardless of the input, but they've got a slower multiplier. So do you pick the one that's fastest in the average case, or faste
Re:I hope this isn't news to anyone... (Score:3, Informative)
Yep, both chained and open-addressed hash can degenerate to a linked list. A chained hash (what you describe as a node consisting of a linked list) is actually a much more common hash type than open-addressing (where the values are stored in the table). There are a couple reasons, a chained hash can overflow, and an open ended hash always has to c
Re:I hope this isn't news to anyone... (Score:2)
I meant a chained hash can avoid overflow. In practice plenty of people make the collision list a fixed length, moving the overflow problem one step up.
Humanity (Score:2, Insightful)
(Or maybe this only happens to me?
Say what? (Score:4, Funny)
Why they always trin' to bring the black man down?
Re:Say what? (Score:2)
'Bro' server (Score:2, Funny)
Credits (Score:5, Informative)
Maybe their genius has been triggered by the recent advisory about a DOS exploiting hash collisions in netfilter [secunia.com].
They analyzed some softwares but no word about this known vulnerability. Still a good summary but not a discovery.
Re:Credits (Score:5, Informative)
Scott
Excellent paper (Score:5, Interesting)
I found your paper very interesting. I'd like to address a couple things.
1. You point out that MD5 is vulnerable to a brute-force search for bucket collisions. Isn't any deterministic hash-function vulnerable to the same attack? I know you solved the problem using a keyed version of MD5. With Carter and Wegman, you alluded to a randomly chosen constant and vector. I didn't notice you addressing this issue with UMAC.
2. The abstract says, "We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks." The abstract is ambiguous, but it insinuates that you'll provide a proof. I didn't see one. Perhaps it was in the references? Even if it was, certainly your 20 bit Carter-Wegman construction merits a new proof.
3. You said, "When analyzing algorithmic complexity attacks, we must assume the attacker has access to the source code of the application," I disagree. The attacker doesn't need the source code. They can reverse engineer the compiled binary.
Also, I wonder if an attacker even needs the program. An attacker could reasonably guess that a Perl script will store a certain string in an associative array. Many websites automatically process their Apache logs with Perl. Instead of requesting real pages, a blackhat could request strings that will hash to the same bucket (assuming the site uses Perl). When cron starts processing the logs, the website could slow to a crawl. Granted, the attacker knows the hash function from Perl, but they don't have access to the website's custom-made script.
4. You have a spelling error. Your paper should read, "due to the ten times larger queues of unprocessed events".
Re:Excellent paper (Score:4, Interesting)
Second, the universalness of that is from the origional carter&wegman paper. Our only real trick is to try to encode a useful construction without requiring 64-bit multpilication or modulation. There are aspects of the abstract I'm not entirely happy with. The section on solutions with unversal hashing was sorta grafted on later.(And I didn't write that sentence)
Third, yes, good guessing works too, even without source code.
Fourth. Damn. Don't you have something better to do?
Scott
Re:Credits (Score:5, Informative)
Bugtraq Post (Score:5, Informative)
They exploit the difference between 'typical case' behavior versus worst-case behavior. For instance, in a hash table, the performance is usually O(1) for all operations. However in an adversarial environment, the attacker constructs carefully chosen input such that large number of 'hash collisions' occur. Suitable collisions can be computed even when the attacker is limited to as little as 48 or 32 bits.
These attacks can occur over a very wide gamut of software, with impacts ranging from devestating to innocious.
We have studied and found the following applications possibly vulnerable to a greater or lesser degree:
For the last two, we have a tentative attack file, but have not constructed a test program to confirm the attack.
We have constructed attacks and confirmed the degradation on these:
Also related is the recent linux 2.4.20 route cache attack by Florian Weimer. David Miller is working on a patch that fixes other similar issues in other places of the networking stack.
Our paper discusses a new class of denial of service attacks that work by exploiting the difference between average case performance and worst-case performance. In an adversarial environment, the data structures used by an application may be forced to experience their worst case performance. For instance, hash tables are usually thought of as being constant time operations, but with large numbers of collisions will degrade to a linked list and may lead to a 100-10,000 times performance degradation. Because of the widespread use of hash tables, the potential for attack is extremely widespread. Fortunately, in many cases, other limits on the system limit the impact of these attacks.
To be attackable, an application must have a deterministic or predictable hash function and accept untrusted input. In general, for the attack to be signifigant, the applications must be willing and able to accept hundreds to tens of thousands of 'attack inputs'. Because of that requirement, it is difficult to judge the impact of these attack without knowing the source code extremely well, and knowing all ways in which a program is used.
The solution for these attacks on hash tables is to make the hash function unpredictable via a technique known as universal hashing. Universal hashing is a keyed hash function where, based on the key, one of a large set hash functions is chosen. When benchmarking, we observe that for short or medium length inputs, it is comparable in performance to simple predictable hash functions such as the ones in Python or Perl.
I highly advise using a universal hashing library, either our own or someone elses. As is historically seen, it is very easy to make silly mistakes when attempting to implement your own 'secure' algorithm.
The abstract, paper, and a library implementing universal hashing is available at http://www.cs.rice.edu/~scrosby/hash/.
Scott
** Affected Products: Extremely widespread. Confirmed vulnerable applications include Perl, the Linux kernel, the Bro IDS, and the Squid HTTP proxy cache. Although unconfirmed, vulnerablities appear to be in the GLIB utility library, the OpenBSD kernel, DJBDNS cache, TCL, Python, and Mozilla.
We conjecture that many implementations of hash tables in both closed source and open source software, unless specifically designed to be immune, may be subject to attack. It is likely
Re:Bugtraq Post (Score:2)
So...can you also say that an attack such as this is nearly impossible to successfully mount against a closed-source system?
I'm not trolling, just wondering. (And yes, I do know that you can make your program virtually immune by using a more secure hash function, so we don't need to bring that up.)
Re:Bugtraq Post (Score:2)
I'm not a security researcher, but I'd guess that disassembling any binary would provide plenty of information to reconstruct any hashing functions used. After all, people have proven themselves pretty clever at modifying closed-source games and finding (other) security problems in closed-source software, having only the binary to work from.
-Paul Koma
DOS Attack..... (Score:2, Funny)
glib example (Score:5, Funny)
I skimmed the Project Page [rice.edu] and aren't a couple of the examples awefully obvious?
The following one line of code brings every UNIX system I've run it on TO ITS KNEES WITHIN MINUTES!! This is a major vulnerability in EVERY UNIX system! Something must be done!
Re:glib example (Score:5, Informative)
Re:glib example (Score:2)
Process accounting adds overheard for minimal value (since critical information is left out, like the device/inode of the binary that was exec'd, the full command line, parent process ID, etc).
It will identify the culprit of a forkbomb, but if deliberate it will not be the individual's own account and if accidenhtal it won't allow you to take any real action against the user. It
Re:glib example (Score:2)
echo 'main() { while (1) if (fork() == 0) while(1); }' > dos.c
gcc -o dos dos.c &&
Re:glib example (Score:2, Interesting)
#define for(a;b;c){d} {a;while(b){d;c;}}
or
#define for(a;b;c){d} {a;do{d;c}while(b);}
or some such...
I suppose that some people would think that a while() or do{} loop is "purer"
than for() in C.
What C implementation do you use??? (Score:2)
HTML tables rendering bugs... (Score:3, Interesting)
Another thing.. this is nothing new. A number of DoS attacks require the server to do more than the client requests. The attacker's complexity would be O(n) whereas the server would be O(n^2) or some such, where n is any given method of communication. The only "new" thing would perhaps be looking at individual programs and algorithms, which is probably applying a very liberal definition of "new." They even admit it themselves by claiming ping-of-death and stack smashing have much in common with what they describe in the article.
And this is new? (Score:4, Interesting)
DoS attacks were mainly either removal of a service (by crashing it and/or stoping it's reload) or resource starvation, being any of CPU, disk, memory, network, etc.
Good to see these people have bothered to flick through a bit of history probably over 15 years old by now and call it something new, yawn.
Having had enough background in large computer systems, it can become quite depressing watching the constant flow of 'new innovations' that have been done may many years before on big iron, but are seen as new by people who just don't have the experience to realise.
Of course it is easier to DoS a machine by using it's own functionality against it rather than just brute force, welcome to computer science 101.
Just wait six months and someone will be releasing a fantastic new defense against this by limiting the CPU resources of given tasks to defined amounts so they cannot stop the system and only that particular service.
I mean come on, this was a common undergrad trick on the vaxes we used to get to play with way back then.
Re:And this is new? (Score:2)
How do you propose this should be done? How can you tell if input is malicious or not? I think that would be pretty tricky/impossible.
Re:And this is new? (Score:2)
make it an optional ThreadGroup parameter.
Not new but no such easy fix (Score:4, Insightful)
But consider a commercial app where customers can send requests to a J2EE app server running within a JVM. That's a very popular, very common setup (JBoss, BEA Weblogic, IBM WebSphere, etc.). The JVM is a single process. It is not CPU-capped because it's designed to stay up and running. When a Java thread handles a request and bumps into a CPU-hogging attack, it is not going to be terminated by the J2EE app server.
So this is potentially a problem, because you currently do not have a CPU-capping parameter in the most popular J2EE app servers. A response to this kind of attacks would require monitoring the amount of CPU consumed by threads processing incoming requests, which is always delicate.
CPU-capping shouldn't be done lightly. It can lead to disastrous failures. For instance, I once tried to use a graphical web application rendering some do-it-yourself tee-shirt lettering. The application was running on an older IIS and apparently had a CPU-time cap, because I got a message "sorry, your request took too long to process" when my design became a bit involved. Needless to say, my business went to a competitor. So CPU-capping isn't even a sure-fire solution.
In summary: Sorry, it is an issue.
Re:Not new but no such easy fix (Score:2)
Re:Not new but no such easy fix (Score:2)
No contest that there are deficiencies in the J2EE standard and the commercial app servers. Nobody disputes that. One of the shortcoming is lack of CPU capping. And the article describes how to turn this into a DoS attack.
J2EE-complaint servers are running all kind of web sites and upgrading them against these attack would be a major concern. You daily life could be impacted if, say, you're trading stock
Bro IDS info (Score:2, Informative)
Thankfully I’m really really stupid (Score:5, Funny)
Discussion on python-dev (Score:4, Informative)
Not really a problem (Score:2)
I'd expected better (Score:2)
The biggest implication of this is - if you're an open source application, exposing your internals to the outside world, and you are using a weak algorithm, then this sort of attack can be carried out on you.
Now I'm a fan of open source, but I'm sure that anyone that writes OSS will be taking this on board, so there's no need to worry.
Just joking, of course - everyone writing an accessible service in OSS needs to read this paper.
Sorry - rant over, but if you expose your internal wo
How about DoSing a laser printer? (Score:2)
...and not by the obvious method of printing a file containing nothing but 500 form feeds.
When I was at university, about 10 years ago, one of my fellow students came up with a way to tie up one of our shiny new Apple Laserwriters. They were quite expensive to run, and so the university charged us for each page that we printed. The nice thing about this hack, from the evil point of view, was that it produced only one page of output, so the cost to the hacker was negligible - at least in financial terms.
Wh
Re:This just proves that a little finesse still be (Score:5, Insightful)
Re:This just proves that a little finesse still be (Score:2)
It is probably easier to get 100 machines to DDOS a server, than to understand and get 1 computer to do a complex attack such as this one. This won't come into play untill they find a way to stop the current brute force attacks.
Re:What is a "Bro server"? (Score:3, Informative)
Re: (Score:1)
Nonsense (Score:2)
That specific attacks are given doesn't change this as the attacks given cover a variety of platforms and software - indeed, such attacks are not limited to network service software, but might be used against software that might be considered secure (behind firewalls with limited acce
Re:I don't know which is worse... (Score:2)
N.
Re:How to defeat this DoS. (Score:2)
How would NAT fix this problem? Are the packets not going to make it to the servers or something? If so then there's a problem, since these ARE server programs after all. These aren't just 'stray packets', they are chosen to exploit the worst case run time of algorithms, in this case mostly hash tables I believe.
Worst case is not just an excersize, if you find input that will make an algorithm run in it's worst form then the algorithm will run slower. The obvi
Re:How to defeat this DoS. (Score:2)
Do you know what a SYN packet is?
Do you know what a SYN-ACK packet it?
Do you know what NAT is and how it works?
No argument that their algorithm and packet generator will degrade performance, but NOT IF THE PACKETS DON'T MAKE IT TO THE SERVER.
Since you are obviously more knowledgable and refer to me as "stupid", please explain how this DoS attack can effect servers behind a NAT'ed router. Explain to me how a UPD packet (as in the case of the Squid DoS) or a
Re:How to defeat this DoS. (Score:2)
Upon closer inspection and soberness, you have a good point. I didn't really read the entire article last night.