Re: Why bandwidth consuming ddos attack using only udp or icmp?

["Brian Bevers" <brian.bevers () gmail com>]

Research connection vs connectionless oriented protocols and the way
they function and you will have the obvious answer. ;)



On 3/1/08, MontyRee <chulmin2 () hotmail com> wrote:
> Thanks for your answer.
>
>
> Sorry for my poor english.
> what I would like to know is why ddos attacker don't using tcp for bandwidth
> consuming attack?
>
> for example, attacker can create some data included spoofed tcp packet,
> so he can send lots of tcp packets toward to the port 80/tcp of the victim
> like syn flooding attack.
>
> but I didn't see any ddos traffic like this.
>
> If I'm a attacker, this attack(data included spoofed tcp packet) would be
> more effective than udp or icmp, because this protocol can be filtered at
> the router by the policy.
> and syn flooding can be filtered by the syncookies, I think.
> and data included tcp packet toward to port 80 can't be filtered by the
> router, right?
>
>
>
> Thanks for your help.
>
>
> > From: gillettdavid () fhda edu
> > To: chulmin2 () hotmail com; security-basics () securityfocus com
> > Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
> > Date: Fri, 29 Feb 2008 08:51:25 -0800
> >
> > > So, some network administrator said that he filtered all udp
> > > and icmp just against the bandwidth consuming ddos attack at
> > > the border router.
> > > (Surely some problems would be happen..dns..somethinf like that)
> >
> > Presumably he made an exception for DNS, and perhaps NTP.
> >
> > Note that the bandwidth bottleneck is typically outside the border router,
> > so filters on that router only apply after the bandwidth has been
> > consumed....
> >
> > > Is it impossible or ineffective using tcp for bandwidth
> > > consuming attack in the point of attacker?
> > > anyone who saw the bandwidth consuming attack using tcp?
> >
> > It's not impossible, but it's extra work, and reveals the attacker's IP
> > address to anyone who detects the attack. (Or at least one or more
> > addresses under the attacker's control.)
> >
> > In your case, the TCP portion of the attack is probably trying to
> > exhaust half-open connection entries (SYN flood) rather than bandwidth.
> > He can use spoofed source addresses for that.
> >
> > David Gillett
> >
> >
> >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com
> > > [mailto:listbounce () securityfocus com] On Behalf Of MontyRee
> > > Sent: Thursday, February 28, 2008 6:52 PM
> > > To: security-basics () securityfocus com
> > > Subject: Why bandwidth consuming ddos attack using only udp or icmp?
> > >
> > >
> > >
> > > Hello, list.
> > >
> > > I have operated network in my company and recently I have
> > > experienced some ddos attack(inbound) on my network.
> > >
> > > It seems that the ddos attack was divided in two
> > >
> > > first, the bandwidth consuming attack was all consist of udp
> > > or icmp using big size packet(about 1500 byte).
> > > second tcp based attack for example http(80/tcp) is mostly
> > > creates lots of pps using small size packet(about 40 byte )
> > >
> > > So, some network administrator said that he filtered all udp
> > > and icmp just against the bandwidth consuming ddos attack at
> > > the border router.
> > > (Surely some problems would be happen..dns..somethinf like that)
> > >
> > > and I have one question.
> > >
> > > Is it impossible or ineffective using tcp for bandwidth
> > > consuming attack in the point of attacker?
> > > anyone who saw the bandwidth consuming attack using tcp?
> > >
> > >
> > > Thanks in advance.
> > >
> > > _________________________________________________________________
> > > 확 달라진 MSN 홈페이지, 지금 바로 만나보세요!
> > > http://www.msn.co.kr
>
> _________________________________________________________________
> 확 달라진 MSN 홈페이지, 지금 바로 만나보세요!
> http://www.msn.co.kr

-- 
Sent from Gmail for mobile | mobile.google.com