Hacker News new | past | comments | ask | show | jobs | submit login
TCP-Starvation (github.com)
63 points by simosx on Feb 12, 2018 | hide | past | web | favorite | 14 comments

This is a really, really old attack. One way to protect against this is by limiting the number of open connections per IP. So if you can have up to 30000 sockets open in your process, 30 per IP is plenty to prevent most attackers.

IPv6 changes this a bit, so one might want to do a limit per subnet, say 30 per /64.

>IPv6 changes this a bit, so one might want to do a limit per subnet, say 30 per /64.

Works great until your users use an ISP that hands out /128 rather than /64

> ISP that hands out /128 rather than /64

Seriously? Who even hands out one single /64 or smaller? it's not like handing out /48s instead is going to deplete the IPv6 pool space [0].

[0] https://www.wolframalpha.com/input/?i=2%5E48+%2F+people+on+e...

> Who even hands out one single /64 or smaller?

Budget VPS/dedicated server providers, such as OVH: https://www.kimsufi.com/en/servers.xml

DigitalOcean hands out /124s. Then they realized that blackholes were hitting multiple droplets (VMs) at once because people blackhole entire /64s, so their solution was to block ports on IPv6 instead of doing the sensible thing and handing out /64s to the droplets instead.

I didn't even try to use their provided IP(s). I immediately turned to https://tunnelbroker.net (only tunnel broker left?)

Doesn't Comcast only hand out /64 to its residential customers?

It's a very old attack (~2000) named NAPTHA. http://www.securiteam.com/securitynews/6B0031F0KA.html

Surprised by the amount of work done on the research but none(?) on past research on the same topic

"Three weeks in the lab saves you three days in the library," as the old grad school quip goes. :)

(And yeah, this is a classic failure mode of TCP...)

Is this similar to Slowloris at all?

Edit: With Slowloris it looks like the connection isn't closed client side though?

Although I'm just wondering they're dropping the FINs anyway.

With Slowloris there are no missing TCP packets and client sends the correct request but VERY slowly.

Cheers, yeah that's a good point

What is a good tool on Linux for testing such attacks?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact