It is indeed not well documented.
The reason for that is maybe because stateful firewalls and IPS’s will
simply drop ACK packets participating in this attack ,i.e., out-of-session
Ack packets are dropped, thus the attack is prevented without any specific
log that really identify it.
Regarding in-session Fast Repeat Ack, this type is more difficult to
accurately detect and prevent (but possible of course). Most firewalls and
IPS will not detect it.
You can search for "Ack Storm", you might find more information about it
Avi C
>From: jono29_at_gmail.com
>To: focus-ids_at_securityfocus.com
>Subject: Type of Attack Vector
>Date: 25 Jan 2006 15:11:22 -0000
>
>Hi List,
>
>I have recently come across a type of attack vector named "Fast Repeat
>Ack". Having searched through various sources of information such as MySDN
>and MSDN I have been unable to find anything specific to this vector,
>although I have found alot of info on the other connection orientated
>attacks such as Syn Flood and Half Open Syn.
>Any information will be greatly received, and any links to useful sources
>appreciated.
>
>Thanks for your time,
>
>------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it
>with real-world attacks from CORE IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>------------------------------------------------------------------------
>
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Feb 07 2006
Intro
