Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo offline because of attack (was: Yahoo network outage)

  • From: George Herbert
  • Date: Wed Feb 09 16:31:02 2000


Scott Crowby wrote:
>George Herbert wrote:
>> Assume there's 40k of data in the homepage.
>> How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take
>> to do a TCP connect and request?  I just tested, I show 160 bytes.
>> That's a 250:1 leverage for the attacker.  To fill 1 GBPS worth
>> of outbound trunking you only need to generate 4 MBPS (32 Mbps)
>> worth of input.  50ish systems with T-1 connectivity gets there
>> with margins.
>
>I don't have posting privledges on NANOG, so forward if you think it is
>appropriate... But this is false,
>Yes, you can send 160 bytes and the HTTPD will attempt to send 40kb, but 
>the TCP stack won't actually send it all unless it gets ACK's from the
>reciever, which means that the reciever has to be able to accept at least
>some of that traffic. If there is sufficient congestion to keep the
>traffic from arriving and ACK's being sent, the sender will slowdown. 
>So this type of attack would be throttled on the initiator's side through
>TCP slowdown and missed ACK's. 

I missed this when I origionally posted last night, but not completely.

If attacker has raw socket or TCP stack manipulation on the attacking
box then they can "cheat" and pre-send ACKs for data not actually received
yet once the connection opens up.  This is explained in detail in several
articles in the ACM SIGCOMM journal over the last year and other sources.
It requires a bit more work by the attacker but forces the victim to
send all the data (most of which is then discarded silently by routers
somewhere upstream of the attacker due to congestion, and not noticed
by the victim because of the faked ACKs).

In reality the technique hits statistical limits due to that congestion
losing the SYN/SYNACK/ACK/HTTP GET packets needed to set up the connections
in the first place, although all of those are re-sent if not properly
acknowledged the throughput of TCP drops through the floor as loss rates
increase as high as they will when doing this type of attack.
But if bigger packets are more likely to get dropped (typical attack
total packet 60 bytes, response 1k) then you can get a fair leverage
out of it even so.


-george william herbert
gherbert@crl.com






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.