Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for June 20, 2013
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Posted Oct 9, 2008 23:30 UTC (Thu) by tialaramex (subscriber, #21167)
One part of the attack that's been partly revealed uses the same trick as SYN cookies. SYN cookies work by hiding some information in fields that TCP/IP promises will be faithfully returned by the other party. (Part of?) the new attack relies on the same trick, but this time by the client not the server. The client sends SYN packets but instead of storing the connection structures locally, the vital data is hidden in the SYN packet itself, and when it is returned per the requirements of the TCP specification, the data can be used to create a valid ACK. Thus the attacker needs store no state to create a connection, their only overhead is sending two packets, while the victim system must store an entire connection structure (and for a lot of trivial services, either fork a process or create a thread...) for every packet. This quickly exhausts the resources of the victim, delivering a DOS.
Note that /unlike a SYN flood/ the attacker must reveal real addresses which they own in order to carry out such a "full connection" attack reliably. So it is really only useful if you can sacrifice the machines or addresses used in the attack (e.g. it's a server you previously compromised in another more sophisticated attack). Also it means that victims can use ordinary stateless firewall technology available on every platform to block the main effect of the attack once they identify the source.
In a sense this "attack" wasn't revealed because it isn't one attack but a collection of strategies to undermine the principle that you shouldn't do disproportional work for an unauthenticated connection. Traditionally it was expected that an attacker must waste as much resources on a TCP DOS as the victim, and thus you can only win if you have more resources (e.g. because you have amassed a zombie network of compromised PCs). This suite of attacks apparently all tips the balance in the attacker's favour, reducing the storage, CPU and network bandwidth overhead of maintaining an effective DOS.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds