Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Internet

New Low Bandwidth Denial of Service Attacks 366

An anonymous reader writes "A paper from Rice University appearing at the 2003 ACM Sigcomm Conference presents a new denial of service attack where the attacker only needs to send at a low rate to shutdown TCP flows. The trick exploits the retransmission timeout mechanism in TCP. By sending small bursts of packets at just the right frequency, the attacker can cause all TCP flows sharing a bottleneck link to simultaneously stop indefinitely. And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts. The presentation, and other presentations from the conference, are available online (live streaming)."
This discussion has been archived. No new comments can be posted.

New Low Bandwidth Denial of Service Attacks

Comments Filter:
  • by mgcsinc ( 681597 ) on Thursday August 28, 2003 @11:45AM (#6815358)
    When I read the title, I imagined a hoard of old geezers, using walkers, coming at me with sticks... but seriously, I don't see how this type of attack could prove as unstoppable or undetectable as claimed; I'm not particularly briefed with the mechanics of Retransmission Time Out, but can the mechanism not be tweaked to avoid these types of attacks without sacrificing all of its benefit?
  • yay (Score:4, Funny)

    by geighaus ( 670864 ) on Thursday August 28, 2003 @11:46AM (#6815370)
    Yay, finally there's use for my trustworthy 2400bod modem :D
    • by gosand ( 234100 ) on Thursday August 28, 2003 @11:59AM (#6815498)
      Yay, finally there's use for my trustworthy 2400bod modem :D

      Anyone who is actually old enough to have used one of these would certainly know how to spell it correctly.

      I call faker! You are just trying to pretend you are some 31337 old geek when you probably have never used anything slower than a DSL line.

      Now get out of here before I whip ya with this here cable with BNC connectors.

      • well, i've got a good excuse. my native language is not english :p
        • Re:yay (faker!) (Score:5, Informative)

          by hey ( 83763 ) on Thursday August 28, 2003 @12:07PM (#6815576) Journal
          "baud" is named after J.M.E. Baudot who was French. more info [hyperdictionary.com]
      • Be nice, or I'll strangle you with a piece of this thicknet cable.
      • And BNC stands for? ...
      • by Genady ( 27988 )
        You'd better duck, these vampire taps can be nasty when they hit yea square in the noggin!
      • Now get out of here before I whip ya with this here cable with BNC connectors.

        For 1337-speakers that may have never seen those... they were big pieces of METAL on the ends of network cables.

        none of those sissy plastic phone-jack "snagless" wires in the olds days. These things were physically keyed. If you tugged on the cable hard enough, the thing you were most likely to do was pull the wire out of the connector. If that didn't happen, then you're probably dragging your computer along the floor.

        While
    • by burgburgburg ( 574866 ) <splisken06.email@com> on Thursday August 28, 2003 @12:06PM (#6815566)
      You were lucky.

      In my day, we had to get at 2:00am, clean the road with our tongues, crawl to work on broken glass and when we got there, we had to work with 6 baud modems that were powered by rabid hamsters. And we were glad for them.

      • I had to hammer the wire out of rusty nails, break the necks off of beer bottles for insulators, string the wire, build modems out of 12AU7 and 6J6 tubes, and have it all running before dawn. And we were glad for them.

        • Tubes!!! You weenie.

          We had to do all our programming on punch cards with an old Jacquard loom. And that was the new system.

          Before that we were stuck with the old calculator that Pascal gave us.

          • Loom? You were lucky.

            We had to do all our programming by having a Viking take a battle axe to particular monks in a line to represent ones and zeros. The cost of computing was enormous. Those Vikings didn't work cheap, and the price of monks went up every year. Then when Constantinople fell to the Turks, ...

            Oh, I've had enough of this. I never wanted to be a geek. I wanted to be ... a lumberjack!

        • Nails! You had rusty nails?

          I had to chisel the packets into stone tablets, then carry them one-by-one, back-and-forth, through fields of knee-deep snow on the back of an angry, flatulant ox.

          ..and I was glad for the ox!

      • And don't forget. Walk 5 miles to work everyday in knee-deep snow..

        uphill..

        both ways..
      • And you forgot that you had hot grits for breakfast.

    • Re:yay (Score:5, Funny)

      by cK-Gunslinger ( 443452 ) on Thursday August 28, 2003 @12:10PM (#6815611) Journal
      2400 baud? Back in my day, I had to run back and forth to my ISP yelling in binary.

      "101010100010100"
  • SCO? (Score:3, Funny)

    by chill ( 34294 ) on Thursday August 28, 2003 @11:47AM (#6815379) Journal
    I wonder if this had anything to do with the "coordinated DDOS" that SCO was experiencing the last couple of days? The one ESR was referring to and supposedly convinced someone to stop doing.

    Damn sneaky way to get another SCO story on to /.

    • by mcc ( 14761 ) <amcclure@purdue.edu> on Thursday August 28, 2003 @11:58AM (#6815480) Homepage
      [Scene: SCO Group, Utah. Where a "coordinated DDOS" is just beginning..]

      [SUIT 1] Uh, hey, uh.. this one computer here.. it's like the webserver or something?
      [SUIT 2] Yeah, I think, why?
      [SUIT 1] Well, none of the lights on it are on.. that's.. hm.
      [SUIT 2] Oh, yeah, hey, look at that, someone seems to have tripped over the cord and unplugged it. [[Switches it back on]]
      [SUIT 1] Huh.. um.. it doesn't seem to have started up all the way. It's saying something about "fsck" and asking for a password. What does that mean?
      [SUIT 2] Hm, not sure.
      [SUIT 1] Well.. could we get one of the linux guys to come and reboot it? Or something?
      [SUIT 2] Well, we fired all of the linux guys so that we could concentrate all our resources on the lawsuit.
      [SUIT 1] Uh.. shit! Well, I guess I better figure something out.. hmm
      [[ Two days later, after two days of phone calls, SUIT 1 finally finds an INDEPENDENT CONTRACTOR who doesn't just laugh and hang up on him when he says he wants them to come fix a linux server. INDEPENDENT CONTRACTOR starts the linux server up all the way and charges a great deal of money. "Coordinated DDOS" thus ends. ]]
  • by Brahmastra ( 685988 ) on Thursday August 28, 2003 @11:50AM (#6815398)
    This is a tough paper to read. It's going to be a long time before an "Insightful" post.
  • by XSforMe ( 446716 ) on Thursday August 28, 2003 @11:50AM (#6815405)
    are available online (live streaming).
    This guy is an amateur, wait until he feels the slashdot effect on his server. His next presentation will be entitled, how to knock down any server by just posting an article.
  • From all the links in the article, it is not clear where I can read about this. I don't have time to watch a streaming video but would like to find out more about this.

    Best wishes
    James
  • I doubt it... (Score:2, Interesting)

    by moehoward ( 668736 )
    I'm pretty certain that my firewall would flag the bursts. If not, seems a simple rule or two would suffice to flag them. I'd like to see this in action. I suspect that it is pretty lame and easily detected.

    My guess is that by Friday night, the kiddies will have thousands of these going. So, I guess I can do see for myself tomorrow.
    • Re: (Score:3, Informative)

      Comment removed based on user account deletion
    • Re:I doubt it... (Score:5, Insightful)

      by sg_oneill ( 159032 ) on Thursday August 28, 2003 @12:06PM (#6815564)
      I'm pretty certain that my firewall would flag the bursts. If not, seems a simple rule or two would suffice to flag them. I'd like to see this in action. I suspect that it is pretty lame and easily detected.

      My guess is that by Friday night, the kiddies will have thousands of these going. So, I guess I can do see for myself tomorrow


      Ah. sure dude.

      Not sure how a firewall helps with DOS and DDOS attacks however. something floods your pipe, and its flooded, no matter how clever your firewall is. Try reading the article :)

      • Not sure how a firewall helps with DOS and DDOS attacks however. something floods your pipe, and its flooded, no matter how clever your firewall is. Try reading the article :)

        Maybe You should read the HEADLINE! :-) This is a low-bandwidth DOS which exploits a TCP stack weakness to prevent outgoing packets. It does not flood the pipe.
        • Its not a weakness. Its a feature ;)

          Alas. The main 2 defences mountable run at the trade off of 'shitifying' your tcp stack performance. Either way its a DOS in the tradition of those lil syn fucker type DOS's just has some maths in its head and rather operates on timeouts.

          Eh... its 2.15. Time fer bed :)
  • by fuqqer ( 545069 ) on Thursday August 28, 2003 @11:53AM (#6815433) Homepage
    This is a duplicate story [slashdot.org]from a looonnnng time ago. May 31 as a matter of fact. This means something considering the amount brain cells I kill with liquor everyday.
  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) * on Thursday August 28, 2003 @11:54AM (#6815435)
    Comment removed based on user account deletion
  • by RobertB-DC ( 622190 ) * on Thursday August 28, 2003 @11:54AM (#6815436) Homepage Journal
    My first thought was, "Oh, great, now the 5kr1pt k1dd1e5 will have another instruction manual."

    Then, I downloaded the .pdf file [acm.org], and started reading it. My head's still spinning!

    Here's a sample:
    When the number of flows in the system is high, a fraction of flows' retransmission timers will expire sufficiently near time (alpha) such that those flows can partially recover and utilize the available bandwidth in the period from time (alpha) to time (beta), when all flows will again experience an outage.
    And that's one of the more lucid sentences.

    Anyone who would be able to put together an actual attack from this paper probably has enough education to get a real job -- something that doesn't go well with writing malware on the side.

    Of course, now that the paper's being discussed on Slashdot, all bets are off!
    • by Abcd1234 ( 188840 ) on Thursday August 28, 2003 @12:23PM (#6815761) Homepage
      When the number of flows in the system is high, a fraction of flows' retransmission timers will expire sufficiently near time (alpha) such that those flows can partially recover and utilize the available bandwidth in the period from time (alpha) to time (beta), when all flows will again experience an outage.

      Bah, the paper isn't that bad. Heck, without reading the whole thing and knowing a little bit about what they discuss (based on the first section), I can understand what you've quoted (if I'm correct, this is from their section on mitigating attacks using randomized RTOs).

      Really, the basic concepts are *incredibly* simple. Send a burst of traffic which causes drops in the short term. This results in the TCP stack backing off and re-transmitting the packet after the defined RTO. So, if you hit the stack with another burst of packets just as the RTO is expiring, the stack will back off again. Lather, rinse, repeat. This requires a lot less traffic, since your bursts are spaced apart (roughly a second per burst, typically, since that's a pretty standard RTO).

      Really, all you need is a basic understanding of TCP flow control to understand the concepts in this paper (which, BTW, they attempt to explain in the first section). The rest of the content (modelling TCP flow rates relative to DoS flow rates, etc) is really just the formal analysis of the basic attack, which certainly isn't important if all you care about is implementing it.
  • by canajin56 ( 660655 ) on Thursday August 28, 2003 @11:56AM (#6815467)
    Good grief, they are giving instructions for how to DoS people! Arrest them using the DMCA! QUICK, BEFORE THE CAT IS OUT OF THE BAG!
  • Just what we need... (Score:2, Interesting)

    by El ( 94934 )
    a step-by-step recipe on how to screw up the internet even worse. I thought common sense dictated that you don't release documentation of a vulnerability until there is a fix available for it. I know security by obscurity doesn't work, but in the case of fundamental flaws in the TCP architecture... well, I'd rather the script kiddies find out about it later rather than sooner. Aren't we overdue for a TCP replacement anyway? One that supports sequenced packets as well as byte streams, and one that allows win
    • Comment removed based on user account deletion
    • If you RTFA you will see he proposes counters for this kind of attack. Random time outs but this pretty much kills the efficency gained with TCP.

      As for a better protocol. You are quite free to write and implement one. Just find other ppl to use it. Don;t forget there are quite a lot of protocols out there (UDP being probably the next biggest).
    • This is an architectural "flaw" of TCP (the authors seem to conclude that its retransmission mechanism is sound and necessary, but can't be effectively protected against for this DoS -for the sake of argument, let's call it a flaw) - whom would you propose "fix" the problem before the vulnerability is widely known?

      Since the architectural flaw seems to be in the retransmission recovery sequences of TCP, eg, it can be spoofed in a way undistinguishable from normal retransmission recovery sequences, actual s

  • Direct link to paper (Score:5, Informative)

    by Hygelac ( 11040 ) on Thursday August 28, 2003 @11:58AM (#6815482) Homepage
  • by carpe_noctem ( 457178 ) on Thursday August 28, 2003 @12:01PM (#6815512) Homepage Journal
    Not to rain on the parade here, but I thought there were a number of more interesting papers from sigcomm this year. Namely:

    - Peer-to-Peer Information Retrieval Using Self-Organizing Semantic Overlay Networks
    - Quantum Cryptography in Practice
    - Making Gnutella-like P2P Systems Scalable

    Just some more food for thought....
  • Saturation! (Score:5, Interesting)

    by pvera ( 250260 ) <pedro.vera@gmail.com> on Thursday August 28, 2003 @12:02PM (#6815526) Homepage Journal
    Back in my days as a satellite network controller for the Army it was common knowledge all it takes to saturate the whole frequency range for the commo payload is a nice 75Khz spike (enough carrier for a FM orderwire signal). People would argue it could not be done since we pretty much owned the 7.25->8.4 GHZ spectrum, but it worked pretty damn well. This is the equivalent of saturating a T1 with a 14.4 modem.
  • Aha! (Score:4, Funny)

    by Pig Hogger ( 10379 ) <pig DOT hogger AT gmail DOT com> on Thursday August 28, 2003 @12:03PM (#6815531) Journal
    So that's what happenning to Joe Jared's Osirusoft black-hole list, and the SPEWS website...

    I call to all arms-bearing full-bloodied americans to rush home, take their trusty shotguuns, and relentlessly hunt down spammers until the last one is gutted and stuffed and put on display in the Smithsonian!!!

  • Does it really work. (Score:2, Interesting)

    by d3z ( 159232 )
    In my vague understanding of TCP, I thought that the retry timers were supposed to have a random element to them. In fact, some systems talk of using cryptographic random sources so that the delays aren't predictible.

    If that isn't the case in implementations, it would seem to be implementation error, not really a fault with the protocol itself.
    • by d3z ( 159232 )
      So, reading other information, it looks like they're desciring just a weakness in the multicast support, which as far as I know, is rarely used.

      I don't expect an attack like this to be able to effect me.
  • by JoeLinux ( 20366 ) <joelinux@ g m a i l . c om> on Thursday August 28, 2003 @12:08PM (#6815588)
    Like Microsoft (May Billy Gates live forever) says, "If nobody does any research on it, nobody'll know it exists, right?"

    That was totally irresponsible. They should have not released theat information, and promptly committed Hari-Kiri so the information would never be uttered again on the face of the earth.
  • Timescale (Score:5, Funny)

    by rf0 ( 159958 ) <rghf@fsck.me.uk> on Thursday August 28, 2003 @12:24PM (#6815777) Homepage
    Paper Today
    Proof of Concept by Monday
    Script Kiddies Version by Thursday
    Internet dies on Friday
    All back to normal Monday

    Rus
  • By the time you click the link it will timeout and you will have just engaged in one of those low bandwidth DDOS aatacks.

    Of course, none of this is real, and time is just an illusion that keeps everything from happening at once.

    Heh, heh
  • Sounds a lot like... (Score:2, Interesting)

    by tomkit ( 521930 )
    ...resonance frequency.
    By sending small bursts of packets at just the right frequency, the attacker can cause all TCP flows sharing a bottleneck link to simultaneously stop indefinitely.
  • by Apparition29 ( 612888 ) on Thursday August 28, 2003 @12:30PM (#6815839)
    Essentially this says that all you do is to continually convince TCP that the 'pipe' is full of information and to take counter measures.

    TCP will do this with a preset procedure that was designed to elminate deadlock situation. The problem occurs when everytime the TCP stack trys to resend the information, you can fool it by filling the 'pipe' again. As long as you know when the TCP stack will retry again, you can continue this over and over. Because it does not take a lot of information to fill the 'pipe' for the short time that TCP attempts to resend, you can have a low bandwidth attack.
  • by Rolman ( 120909 ) on Thursday August 28, 2003 @12:37PM (#6815901)
    In the latest Lovsan.* worm outbreak, the worm was programmed to generate a DDoS attack to www.windowsupdate.com, only the attack was not very successful because that domain was just a means of redirection to the real Windows Update site (windowsupdate.microsoft.com), so Microsoft just shut it down and avoided any harm.

    But with this low-bandwidth exploit, which I believe is actually not a new idea, since IE uses a tricky method to increase speed by leaving persistent connections until they time out [slashdot.org] that could be exploited, now a worm can potentially DoS any website, even dynamically selecting the target from the users' IE favorites and performing the attack very quickly (maybe in a matter of hours) without having to rely it on being a widespread, coordinated DDoS or what the target OS/Server is.

    The paper even claims that in order to protect a server from this type of attack you'd need to sacrifice a good deal of performance, which in most cases is not acceptable so many people can't really afford to implement defenses. Either a clever workaround is made for this exploit, or we have tough times ahead from worm outbreaks and script kiddies.

    • The Internet is a consensus-based network, based on protocols which were intended to be robust, but never intended to scale to the degree that they have. Much of the Internet is based on the idea that the people using it could agree to external rules to keep it civil.

      This whole scheme breaks down badly as the Internet and it's protocols are scaled to the 'big mean world'. Spam is the result in the domain of email. Things like this low bandwidth DoS attack are the result in the domain of TCP.

      Problems l

  • ...when we publish how to build a thermonuclear device using common household items! ;)

    • Sshhhhh. Quiet man, you're gonna give away all my secrets. Do you know how easy it is to find Uranium or Thorium; but, how hard it is to hide it. Damn man, now they're gonna be looking for me...

      Note to self: Must shield hidden reactor in basement better.

  • Dupe! (Score:2, Informative)

    by in7ane ( 678796 )
    Denial of Service via Algorithmic Complexity [slashdot.org]

    dupe
    Dupe!
    DUPE!!!


    Posted by michael on Sunday June 01, @12:56AM from the advanced-topics dept. dss902 writes "We (Department of Computer Science, Rice University) present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures... Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, ou
    • Re:Dupe! Or not... (Score:4, Insightful)

      by Abcd1234 ( 188840 ) on Thursday August 28, 2003 @01:53PM (#6816768) Homepage
      Too bad this is a *completely different attack*! Jeez, read the friggin' paper, people. The paper you reference talks about a DoS which exploits data structures commonly used in TCP stacks. The DoS in the paper referenced for this article exploits TCP congestion control algorithms to "fool" the TCP stack into thinking the pipe is full when it really isn't by sending carefully timed packet bursts.
  • Undistinguishable? (Score:5, Insightful)

    by _iris ( 92554 ) on Thursday August 28, 2003 @01:01PM (#6816181) Homepage
    "And because the attacker only needs to burst periodically, the attacker will not be distinguishable from normal hosts."

    Except for the bursts of traffic from the same host at a certain frequency.
    • Yeah, because there's no way in HELL that anybody who could design this sort of system could POSSIBLY think to, gosh, some sort of, I don't know, maybe.... randomize the times they attack? Or even build, oh, I don't know, some sort of DISTRIBUTED smurf-like system so that the bitty little attacks are coming from RANDOM hosts at RANDOM times.

      Good thing, too.

  • Duh! (Score:5, Funny)

    by dark-br ( 473115 ) on Thursday August 28, 2003 @01:05PM (#6816218) Homepage
    You can use a modem to post a slashdot article with a link to the target computer...

  • by Andy Dodd ( 701 ) <atd7@@@cornell...edu> on Thursday August 28, 2003 @01:06PM (#6816234) Homepage
    Since it requires accurate timing.

    a) Even if the average bandwidth is low, the attacker will still need the ability to burst those peaks. Remember that in most cases, we pay for peak bandwidth and not average bandwidth. A 56k modem likely won't be able to perform one of these DoS attacks because it doesn't have the peak b/w capability.

    b) The more hops you are away from your target, the more your peaks will get spread out and averaged. Keep in mind that most cable modem head-ends and the cable modems themselves have REALLY long packet queues. This is why upstream saturation is such a problem for cable modems. You can burst all you want, if you're DoSing from a cable modem it'll be averaged out and/or the timing completely FUBARed by the time the packets leave your neighborhood.
  • Frequency (Score:5, Funny)

    by StormReaver ( 59959 ) on Thursday August 28, 2003 @01:11PM (#6816291)
    "By sending small bursts of packets at just the right frequency...."

    That's not a problem. All you have to do is periodically adjust your shield harmonics to keep the attacker from adapting quickly enough to do any harm.
  • by CoyoteGuy ( 524946 ) on Thursday August 28, 2003 @02:08PM (#6816917)


    Just set the evil bit, and all is well. ;)

"Hello again, Peabody here..." -- Mister Peabody

Working...