Abstract
We present Ack-storm DoS attacks, a new family of DoS attacks exploiting a subtle design flaw in the core TCP specifications. The attacks can be launched by a very weak MitM attacker, which can only eavesdrop occasionally and spoof packets (a Weakling in the Middle (WitM)). The attacks can reach theoretically unlimited amplification; we measured amplification of over 400,000 against popular websites before aborting our trial attack.
Ack storm DoS attacks are practical. In fact, they are easy to deploy in large scale, especially considering the widespread availability of open wireless networks, allowing an attacker easy WitM abilities to thousands of connections. Storm attacks can be launched against the access network, e.g. blocking address to proxy web server, against web sites, or against the Internet backbone. Storm attacks work against TLS/SSL connections just as well as against unprotected TCP connections, but fails against IPsec or link-layer encrypted connections.
We show that Ack-storm DoS attacks can be easily prevented, by a simple fix to TCP, in either client or server, or using a packet-filtering firewall.
Keywords
- Denial of service
- TCP
- secure network protocols
Chapter PDF
References
Borella, M., Grabelsky, D., Lo, J., Taniguchi, K.: Realm Specific IP: Protocol Specification. RFC 3103 (Experimental) (October 2001), http://www.ietf.org/rfc/rfc3103.txt
Chandra, P.: How To Make A WiFi Antenna Out of A Pringles Can. makeuseof.com (August 2009), http://www.makeuseof.com/tag/how-to-make-a-wifi-antenna-out-of-a-pringles-can-nb/
Herzberg, A., Shulman, H.: Stealth DoS attacks on secure channels. In: NDSS (March 2010)
Joncheray, L.: A simple active attack against TCP. In: Proceedings of the 5th Symposium on UNIX Security, pp. 7–20. USENIX Association, Berkeley (June 1995)
Lam, A., Akritidis, A.: Puppetnets: Misusing web browsers as a distributed attack infrastructure. In: SIGSAC: 13th ACM Conference on Computer and Communications Security. ACM SIGSAC (2006)
Postel, J.: Transmission Control Protocol. RFC 793 (Standard) (Sep 1981), http://www.ietf.org/rfc/rfc793.txt , updated by RFCs 1122, 3168
Sherwood, B.: Braud: Misbehaving TCP receivers can cause internet-wide congestion collapse. In: SIGSAC: 12th ACM Conference on Computer and Communications Security. ACM SIGSAC (2005)
Vaughn, R., Evron, G.: DNS amplification attacks. ISOTF (March 2006), http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
Wong, M., Clement, A.: Sharing wireless internet in urban neighbourhoods. In: Steinfield, C., Pentland, B.T., Ackerman, M., Contractor, N. (eds.) Communities and Technologies 2007, pp. 275–294. Springer, London (2007), http://dx.doi.org/10.1007/978-1-84628-905-7_15 , doi:10.1007/978-1-84628-905-7_15
Wu, B., Chen, J., Wu, J., Cardei, M.: A survey of attacks and countermeasures in mobile ad hoc networks. In: Xiao, Y., Shen, X.S., Du, D.Z. (eds.) Wireless Network Security. Signals and Communication Technology, pp. 103–135. Springer, US (2007), http://dx.doi.org/10.1007/978-0-387-33112-6_5 , doi:10.1007/978-0-387-33112-6_5
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Abramov, R., Herzberg, A. (2011). TCP Ack Storm DoS Attacks. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds) Future Challenges in Security and Privacy for Academia and Industry. SEC 2011. IFIP Advances in Information and Communication Technology, vol 354. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21424-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-21424-0_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21423-3
Online ISBN: 978-3-642-21424-0
eBook Packages: Computer ScienceComputer Science (R0)