
TCP-Starvation - simosx
https://github.com/Eplox/TCP-Starvation
======
Matheus28
This is a really, really old attack. One way to protect against this is by
limiting the number of open connections per IP. So if you can have up to 30000
sockets open in your process, 30 per IP is plenty to prevent most attackers.

IPv6 changes this a bit, so one might want to do a limit per subnet, say 30
per /64.

~~~
gruez
>IPv6 changes this a bit, so one might want to do a limit per subnet, say 30
per /64.

Works great until your users use an ISP that hands out /128 rather than /64

~~~
moviuro
> ISP that hands out /128 rather than /64

Seriously? Who even hands out one single /64 or smaller? it's not like handing
out /48s instead is going to deplete the IPv6 pool space [0].

[0]
[https://www.wolframalpha.com/input/?i=2%5E48+%2F+people+on+e...](https://www.wolframalpha.com/input/?i=2%5E48+%2F+people+on+earth)

~~~
magnat
> Who even hands out one single /64 or smaller?

Budget VPS/dedicated server providers, such as OVH:
[https://www.kimsufi.com/en/servers.xml](https://www.kimsufi.com/en/servers.xml)

~~~
jandrese
DigitalOcean hands out /124s. Then they realized that blackholes were hitting
multiple droplets (VMs) at once because people blackhole entire /64s, so their
solution was to block ports on IPv6 instead of doing the sensible thing and
handing out /64s to the droplets instead.

------
zonovar
It's a very old attack (~2000) named NAPTHA.
[http://www.securiteam.com/securitynews/6B0031F0KA.html](http://www.securiteam.com/securitynews/6B0031F0KA.html)

------
toredash
Surprised by the amount of work done on the research but none(?) on past
research on the same topic

~~~
60654
"Three weeks in the lab saves you three days in the library," as the old grad
school quip goes. :)

(And yeah, this is a classic failure mode of TCP...)

------
anfractuosity
Is this similar to Slowloris at all?

Edit: With Slowloris it looks like the connection isn't closed client side
though?

Although I'm just wondering they're dropping the FINs anyway.

~~~
rini17
With Slowloris there are no missing TCP packets and client sends the correct
request but VERY slowly.

~~~
anfractuosity
Cheers, yeah that's a good point

------
amelius
What is a good tool on Linux for testing such attacks?

