IW: Tools Stunt DoS Attacks

Bill Stewart bill.stewart at pobox.com
Fri Feb 9 13:07:02 PST 2001 

At 09:08 AM 2/9/01 +0200, Andrew Alston wrote:
>If the attacker has a large number of slave machines, each machine is
>spoofing from 1000 addresses (I.E sending 1000 packets each one from a
>different address, and then cycling these addresses or generating another
>1000 different addresses), it becomes VERY VERY difficult to block.
>1000 machines, each sending 1000 packets, from 1000 spoofed addresses, each
>packet is 8k big...


Agreed - if the ISPs aren't spoof-proofing, it's very tough to defend
against, as Lars and I noted.  But if ISPs, particularly the cable and DSL
ISPs, 
are spoof-proofing their outgoing packets, there won't be an 
unblockably large 1,000,000 addresses, just a still-annoying 1000 addresses, 
and the addresses you'll be blocking are mostly sites you won't miss 
(cable, DSL, and dial-up subscribers) rather than a random scatter
of probably-useful systems and networks around the net.

>Because each packet is a SYN packet, ... the firewall will attempt to
>insert 1 million rules in the space on under 5 minutes.

The magic of SYN attacks is that you don't have to accept
more than one SYN from a given machine at a time,
at least for a given port, so you don't have to use firewall rules
except to limit the range of ports that are being targeted,
and when you start to build rules, you only need 1000 of them.

>With 1000 machines, each sending 10 8k packets per second (80k/sec), you are
>running at 80000k/sec, that is to say almost 80gigabit, enough to kill an
>OC-48 dead in the water.

Fortunately, that's only 80 Megabits, not Gigabits, 
so it's only a T3-killer, not an OC-768-killer :-)  Still annoying.
You can fill the T3 with about 1500 dialup users,
and about 5 times as fast with cable modem or IDSL,
15-30 with faster DSL, and of course much faster with 
university machines (where you're limited by the 
university's aggregate outgoing bandwidth
rather than the individual smurves' bandwidth.)
Of course, if you've only got a T1/DSL/Cable line, you're toast.

But there are several different attacks here -
I'd be surprised if there's a legitimate use for 8KB SYN packets,
though I'm not sure any current firewalls have an easy way to
detect and block that, so it may work.
Some attacks are likely be blocked by firewalls -
ports you don't want, UDP packets and traffic pretending to be
from open TCP connections when you haven't done a SYN first.
Those still flood your incoming pipe - some ISPs are
offering network-based firewalls that can do simple filtering
at the upstream end of the connection to reduce the
bandwidth you spend on anklebiters.

But still, a 1000-machine attack is hard to do much about by yourself,
and as you say, the upstream providers will get swamped also
until you go out smurf hunting and get the things killed off.
There have been some proposals to add various tracing to the
backbone networks that may be of some help in the future.

Things could be far worse, though - imagine if some popular software
package that people installed on purpose had DDOS capabilities,
like a hacked Napster client or Quake Performance-Booster or 
Netscape Foobar-Graphics plug-in or a more clever than usual MSWord virus.
Bad stuff.



				Thanks! 
					Bill
Bill Stewart, bill.stewart at pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

More information about the cypherpunks-legacy mailing list