Scott Crowby wrote:

George Herbert wrote:

...

Assume there's 40k of data in the homepage. How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take to do a TCP connect and request? I just tested, I show 160 bytes. That's a 250:1 leverage for the attacker. To fill 1 GBPS worth of outbound trunking you only need to generate 4 MBPS (32 Mbps) worth of input. 50ish systems with T-1 connectivity gets there with margins.

I don't have posting privledges on NANOG, so forward if you think it is appropriate... But this is false, Yes, you can send 160 bytes and the HTTPD will attempt to send 40kb, but the TCP stack won't actually send it all unless it gets ACK's from the reciever, which means that the reciever has to be able to accept at least some of that traffic. If there is sufficient congestion to keep the traffic from arriving and ACK's being sent, the sender will slowdown. So this type of attack would be throttled on the initiator's side through TCP slowdown and missed ACK's.

I missed this when I origionally posted last night, but not completely. If attacker has raw socket or TCP stack manipulation on the attacking box then they can "cheat" and pre-send ACKs for data not actually received yet once the connection opens up. This is explained in detail in several articles in the ACM SIGCOMM journal over the last year and other sources. It requires a bit more work by the attacker but forces the victim to send all the data (most of which is then discarded silently by routers somewhere upstream of the attacker due to congestion, and not noticed by the victim because of the faked ACKs). In reality the technique hits statistical limits due to that congestion losing the SYN/SYNACK/ACK/HTTP GET packets needed to set up the connections in the first place, although all of those are re-sent if not properly acknowledged the throughput of TCP drops through the floor as loss rates increase as high as they will when doing this type of attack. But if bigger packets are more likely to get dropped (typical attack total packet 60 bytes, response 1k) then you can get a fair leverage out of it even so. -george william herbert gherbert@crl.com