Results 1 to 4 of 4

Thread: Slow motion Dos attacks!

  1. #1
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003

    Slow motion Dos attacks!

    Hi guys,
    A little heads up if you havent seen this. Apparently there is a proof of concept for a new type of DOS attack. From what I understand it works by opening a TCP connection then sending no free buffer packet to the server. This blocks the server connection open as it will then send ACK packets waitiing for the buffer to clear. Here is a link to the story :
    http://mybroadband.co.za/news/quick-...to-detect.html
    Any one have a take on this?
    cheers
    Muracu
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  2. #2
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    As this says
    Shekyan said in his post about the tool that this type of attack could be prevented by setting up rules in the Web server's configuration that refuse connections from clients with abnormally small data window settings, and limit the lifetime of an individual request.
    Anyhow, surely your HIPS system would pick this up.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  3. #3
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I'm pretty sure you could test this out using Hping or IPSorcery; Two tools I've been using and swear by, for a long time now.

    I don't know if there are versions for Windows so I can't give any info about that. Basically they are packet creation tools to make your own packets.

  4. #4
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    Here is Sergey Shekyan blog with the POC.

    https://community.qualys.com/blogs/s...1/05/slow-read

    Effectively once the attack is known it seems easy enought block. I doubt if your HIS would pick it up by default as it uses very low traffic to perform the DOS and it is a new attack type. Still it will be interesting to see it this evolves and starts poping up in the wild.

    edit :
    Link to the TCP vulnerabilty exploited :
    http://www.kb.cert.org/vuls/id/723308
    Last edited by MURACU; January 24th, 2012 at 12:34 PM.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

Similar Threads

  1. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  2. A look into IDS/Snort part 1 of 3
    By qod in forum The Security Tutorials Forum
    Replies: 18
    Last Post: January 5th, 2004, 02:30 PM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  4. Understanding DoS
    By NullDevice in forum The Security Tutorials Forum
    Replies: 21
    Last Post: December 17th, 2003, 10:03 PM
  5. Classic Social Engineering Attacks
    By Striek in forum The Security Tutorials Forum
    Replies: 10
    Last Post: December 16th, 2003, 09:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •