[e2e] Redirection-Based Flooding Attacks (was Re: DDoS attack vs. Spoofing of Source Address)

Christian Vogt chvogt at tm.uka.de
Wed Feb 1 03:47:02 PST 2006 

> This is what you wrote. The attacker behaves like a TCP receiver. My
> question is: What happens when the attacker redirects the flow to the
>  victim? Does the attacker continue to spoof ACK packets then?

It begins spoofing ACK packets then.  Of course, it can send correct ACK 
packets before the redirection.

> If so,
> this could be perhaps a rather inefficient way for an attack because
> the attacker must continue to spoof ACK packets all the time. So, the
> motiviation for doing so would be for the attacker to hide its
> identity from both the victim and the sender and have the DoS flow
> appear like an ordinary TCP flow from the (abused) sender. Is this
> correct? In fact, I didn´t see this kind of motivation yesterday.

The motivation is about amplification:  The attacker can sent one small 
ACK packet for each two (usually full-sized) segments that the TCP 
sender generates.

- Christian

-- 
Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH)
www.tm.uka.de/~chvogt/pubkey/


Detlef Bosau wrote:
> Christian Vogt wrote:
> 
>> Detlef,
>> 
>> the attacker would have to send TCP acknowledgments in order to
>> make the TCP sender assume that the packets go to the right IP
>> address.  If the mobility protocol allows only for a single
>> address' registration, the TCP acknowledgments have to be spoofed.
> 
> 
> This is what you wrote. The attacker behaves like a TCP receiver. My
> question is: What happens when the attacker redirects the flow to the
>  victim? Does the attacker continue to spoof ACK packets then? If so,
> this could be perhaps a rather inefficient way for an attack because
> the attacker must continue to spoof ACK packets all the time. So, the
> motiviation for doing so would be for the attacker to hide its
> identity from both the victim and the sender and have the DoS flow
> appear like an ordinary TCP flow from the (abused) sender. Is this
> correct? In fact, I didn´t see this kind of motivation yesterday.

More information about the end2end-interest mailing list