Re: Why bandwidth consuming ddos attack using only udp or icmp?

[pinowudi <pinowudi () gmail com>]

UDP data sizes can be much larger than tcp.  also, with udp/icmp, one
can easily spoof the source address adn still have the packet route to
its destination.  because there is no 3-way handshake, udp packets can
just be generated one-after-the-other, creating a much higher load on
the routing bandwidth.  If initiated from multiple stations that are
geographically diverse, the individual routing loads can be reduced
until the traffic reaches a bottleneck close to the target, frequently
the target's own border router.

With TCP, the game is SYN production exhaustion, which basically uses up
all of the memory allocated to the tcp stack in syn response, preventing
its use for packet management of existing streams.  Perform a ddos
against a web server with 50+ distributed hosts throwing a few thousand
requests per minute each and you could bring just about any server to
its knees.  If not the TCP management, then the traffic would increase
the load on the page response by the web server or the processing of so
many queries by the database.  This is where reverse-proxy caching
really shines in reducing these loads to improve response capability for
things like ddos.  With a traffic-shaping load balancer, you're getting
a moderate defense against a good ddos.  However, having a good contact
within the ISP that can get filters implemented at their level is
absolutely essential.

Ajay Tikoo wrote:
> Though, technically, you can include data in a SYN packet, please note the
> following:
>
> 1. There is a limit on the size of each TCP packet (assume 1500 Bytes).
> 2. If you send 3000 such packets, the bandwidth consumed = 3000 x 1500 =
> 4.5 MB.
> 3. You would not consider sending 4.5 MB to a server a bandwidth attack.
> 4. If common-sense prevails, there will be too many half-open connections
> before the step 2 above is completed.
>
> I hope that answers your question.
>
> Ajay Tikoo
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of MontyRee
> Sent: Saturday, March 01, 2008 7:47 PM
> To: security-basics () securityfocus com; brian.bevers () gmail com;
> ajay () printwire org
> Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
>
>
> Thanks again for your answer.
> I know already the difference of tcp and other stateless protocol.
>
> What I would like to know is that some data included spoofed tcp packets 
> without 3 way handshake is possible or not?
> Is it impossible?
>  
>
> Regards.
>
>
>
> > Sending huge data on TCP would require the TCP handshake be completed
> > first. If the connection was initiated using a spoofed source IP, then how
> > would the handshake complete. If real IP is used in order to complete the
> > handshake, then the source identity (IP) is revealed.
>
> > Ajay Tikoo
>
>
>
>
> ?
> ?
>  
>
> ?
>
>
> Mobile : 
> Email??: 
> Web???: http://www.sd.zain.com/
> --------------------------------------------------------------------------
> ?
>
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of MontyRee
> Sent: Saturday, March 01, 2008 9:15 AM
> To: gillettdavid () fhda edu; security-basics () securityfocus com
> Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
>
>
> Thanks for your answer.
>
>
> Sorry for my poor english. 
> what I would like to know is why ddos attacker don't using tcp for
> bandwidth consuming attack?
>
> for example, attacker can create some data included spoofed tcp packet, 
> so he can send lots of tcp packets toward to the port 80/tcp of the victim
> like syn flooding attack.
>
> but I didn't see any ddos traffic like this.
>  
> If I'm a attacker, this attack(data included spoofed tcp packet) would be
> more effective than udp or icmp, because this protocol can be filtered at
> the router by the policy. 
> and syn flooding can be filtered by the syncookies, I think.
> and data included tcp packet toward to port 80 can't be filtered by the
> router, right?
>
>
>
> Thanks for your help. 
>
>
> > From: gillettdavid () fhda edu
> > To: chulmin2 () hotmail com; security-basics () securityfocus com
> > Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
> > Date: Fri, 29 Feb 2008 08:51:25 -0800
> >
> > > So, some network administrator said that he filtered all udp
> > > and icmp just against the bandwidth consuming ddos attack at
> > > the border router.
> > > (Surely some problems would be happen..dns..somethinf like that)
> > Presumably he made an exception for DNS, and perhaps NTP.
> >
> > Note that the bandwidth bottleneck is typically outside the border router,
> > so filters on that router only apply after the bandwidth has been
> > consumed....
> >
> > > Is it impossible or ineffective using tcp for bandwidth
> > > consuming attack in the point of attacker?
> > > anyone who saw the bandwidth consuming attack using tcp?
> > It's not impossible, but it's extra work, and reveals the attacker's IP
> > address to anyone who detects the attack. (Or at least one or more
> > addresses under the attacker's control.)
> >
> > In your case, the TCP portion of the attack is probably trying to
> > exhaust half-open connection entries (SYN flood) rather than bandwidth.
> > He can use spoofed source addresses for that.
> >
> > David Gillett
> >
> >
> >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com
> > > [mailto:listbounce () securityfocus com] On Behalf Of MontyRee
> > > Sent: Thursday, February 28, 2008 6:52 PM
> > > To: security-basics () securityfocus com
> > > Subject: Why bandwidth consuming ddos attack using only udp or icmp?
> > >
> > >
> > >
> > > Hello, list.
> > >
> > > I have operated network in my company and recently I have
> > > experienced some ddos attack(inbound) on my network.
> > >
> > > It seems that the ddos attack was divided in two
> > >
> > > first, the bandwidth consuming attack was all consist of udp
> > > or icmp using big size packet(about 1500 byte).
> > > second tcp based attack for example http(80/tcp) is mostly
> > > creates lots of pps using small size packet(about 40 byte )
> > >
> > > So, some network administrator said that he filtered all udp
> > > and icmp just against the bandwidth consuming ddos attack at
> > > the border router.
> > > (Surely some problems would be happen..dns..somethinf like that)
> > >
> > > and I have one question.
> > >
> > > Is it impossible or ineffective using tcp for bandwidth
> > > consuming attack in the point of attacker?
> > > anyone who saw the bandwidth consuming attack using tcp?
> > >
> > >
> > > Thanks in advance.
> > >
> > > _________________________________________________________________
>
> _________________________________________________________________
> 나의 글로벌 인맥, Windows Live Space!  
> http://www.spaces.live.com
>
> --------------------------------------------------------------------------
> Disclaimer
>
> This communication is intended for the above named person and is
> confidential and / or legally privileged. Any opinion(s) expressed in this
> communication are not necessarily those of the Zain. If it has come to you
> in error you must take no action based upon it, nor must you print it, copy
> it, forward it, or show it to anyone. Please delete and destroy the e-mail
> and any attachments and inform the sender immediately. Thank you.
> Zain is not responsible for the political, religious, racial or partisan
> opinion in any correspondence conducted by its domain users. Therefore, any
> such opinion expressed, whether explicitly or implicitly, in any said
> correspondence is not to be interpreted as that of Zain.
> Zain may monitor all incoming and outgoing e-mails in line with Zain
> business practice. Although Zain has taken steps to ensure that e-mails and
> attachments are free from any virus, we advise that, in keeping with best
> business practice, the recipient must ensure they are actually virus free.
> ”