Re: Why bandwidth consuming ddos attack using only udp or icmp?

["Amol Sapkal" <amolsapkal () gmail com>]

Hello Monty,

On 3/2/08, MontyRee <chulmin2 () hotmail com> wrote:
> Thanks again for your answer.
> I know already the difference of tcp and other stateless protocol.
>
> What I would like to know is that some data included spoofed tcp packets
> without 3 way handshake is possible or not?
> Is it impossible?

I am not sure if I understand your query, correct. But let me try to
answer it. I presume you are asking 'whether a TCP-based bandwidth
(link bandwidth) exhaustion attack is possible, without the completion
of 3-way handshake?'

The answer is, no. If you are not completing a 3-way handshake, the
maximum damage you can do is generate TCP-SYN from spoofed IPs
(multiple IPs). In this case, the handshakes won't be completed and
the only traffic that your attack is is going to consume is the
TCP-SYN traffic.

Let's take the minimum values: TCP header is 20 bytes and the IP
header is 20 bytes. That's 40 bytes of traffic per TCP SYN. Now, even
if you consider another 20 bytes for the link encapsulation overhead,
the total traffic a spoofed connection will generate is 60 bytes.

Now, even a 1000 TCP SYN connections would utilise only around 60K of
link bandwidth. Given the existing networks, 60K is a very low
bandwidth. And, even before you choke up the bandwidth, the TCP
service on the Internet server, will die first.

So unless you have a self-spreading trojan, that would spoof traffic
or even send real connections to a webserver (from say, 10,000
machines), it would be difficult to create a bandwidth choke. Again,
trojans that can affect 10,000 machines, would ideally be quickly
detected.
(Remember the attack against the Sun website, when they had trouble
with open-source software. That's something I term as a real DDOS
attack)

HTH,
Amol


> Regards.
>
>
>
> > Sending huge data on TCP would require the TCP handshake be completed
> > first. If the connection was initiated using a spoofed source IP, then how
> > would the handshake complete. If real IP is used in order to complete the
> > handshake, then the source identity (IP) is revealed.
>
> > Ajay Tikoo
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of MontyRee
> Sent: Saturday, March 01, 2008 9:15 AM
> To: gillettdavid () fhda edu; security-basics () securityfocus com
> Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
>
>
> Thanks for your answer.
>
>
> Sorry for my poor english.
> what I would like to know is why ddos attacker don't using tcp for
> bandwidth consuming attack?
>
> for example, attacker can create some data included spoofed tcp packet,
> so he can send lots of tcp packets toward to the port 80/tcp of the victim
> like syn flooding attack.
>
> but I didn't see any ddos traffic like this.
>
> If I'm a attacker, this attack(data included spoofed tcp packet) would be
> more effective than udp or icmp, because this protocol can be filtered at
> the router by the policy.
> and syn flooding can be filtered by the syncookies, I think.
> and data included tcp packet toward to port 80 can't be filtered by the
> router, right?
>
>
>
> Thanks for your help.
>
>
> > From: gillettdavid () fhda edu
> > To: chulmin2 () hotmail com; security-basics () securityfocus com
> > Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
> > Date: Fri, 29 Feb 2008 08:51:25 -0800
> >
> > > So, some network administrator said that he filtered all udp
> > > and icmp just against the bandwidth consuming ddos attack at
> > > the border router.
> > > (Surely some problems would be happen..dns..somethinf like that)
> >
> > Presumably he made an exception for DNS, and perhaps NTP.
> >
> > Note that the bandwidth bottleneck is typically outside the border router,
> > so filters on that router only apply after the bandwidth has been
> > consumed....
> >
> > > Is it impossible or ineffective using tcp for bandwidth
> > > consuming attack in the point of attacker?
> > > anyone who saw the bandwidth consuming attack using tcp?
> >
> > It's not impossible, but it's extra work, and reveals the attacker's IP
> > address to anyone who detects the attack. (Or at least one or more
> > addresses under the attacker's control.)
> >
> > In your case, the TCP portion of the attack is probably trying to
> > exhaust half-open connection entries (SYN flood) rather than bandwidth.
> > He can use spoofed source addresses for that.
> >
> > David Gillett
> >
> >
> >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com
> > > [mailto:listbounce () securityfocus com] On Behalf Of MontyRee
> > > Sent: Thursday, February 28, 2008 6:52 PM
> > > To: security-basics () securityfocus com
> > > Subject: Why bandwidth consuming ddos attack using only udp or icmp?
> > >
> > >
> > >
> > > Hello, list.
> > >
> > > I have operated network in my company and recently I have
> > > experienced some ddos attack(inbound) on my network.
> > >
> > > It seems that the ddos attack was divided in two
> > >
> > > first, the bandwidth consuming attack was all consist of udp
> > > or icmp using big size packet(about 1500 byte).
> > > second tcp based attack for example http(80/tcp) is mostly
> > > creates lots of pps using small size packet(about 40 byte )
> > >
> > > So, some network administrator said that he filtered all udp
> > > and icmp just against the bandwidth consuming ddos attack at
> > > the border router.
> > > (Surely some problems would be happen..dns..somethinf like that)
> > >
> > > and I have one question.
> > >
> > > Is it impossible or ineffective using tcp for bandwidth
> > > consuming attack in the point of attacker?
> > > anyone who saw the bandwidth consuming attack using tcp?
> > >
> > >
> > > Thanks in advance.