http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939
Ya that has been out for a few days now. Caught my eye on Slashdot when they talked about not only can it take down systems but keep them down.
More and more of this is coming up now :shrug:
guess time will tell… I disagree with the second link saying that it is BS, I am sure it is possible…
edit: and i don’t get why you class this as technical as nothing technical is being discussed 
"
The observation: You can use a SYN-cookie like trick on the client side as well for an attacker:
You send SYNs where the initial seq # = H(sip, dip, sport, dport).
Now when you get a SYN/ACK back, you can send the ACK to complete the handshake. You can use the ACK field back from the server to know where you are in what data to send (just subtract the value from the initial sequence # to know what the next piece of data to send is), and you can know where you are in the received data (if necessary) by storing just the server’s initial sequence #.
As a result, you can now interact with the server without having to maintain ANY TCP session state, or just a single word (the server’s initial seq #), allowing the attacker to use vastly fewer resources to tie up server resources.
On one hand, this is a cool trick, and potentially useful for an attacker: if you have only a couple of machines and really want to tie up server resources, you can use this quite quickly.
But OTOH, attackers already have so many zombie resources that this really doesn’t necessarily buy the attacker all that much: If you have 10K machines banging on a server, the 10K machines have a good 2000x more state than the servers. So who cares about stateholding requirements on the zombie side? Thus I think its only really relevant if you wanted to DOS google, akamai, or some similar very-high-resource infrastructure.
And as the attacker can’t SPOOF packets with this (it needs to see the SYN/ACK), the zombies can be filtered if the DOS is detected and the attacker’s identified as well."
If I get some time…I will throw together a PoC based on this…
Wouldn’t you need to target specific servers for this? For example, cant you knock out a timewarner server and prevent a pool of users from getting to google versus actually targeting a google server itself and preventing everyone?
I haven’t sat down and read much yet but from what I remembered, it sounded like it was a ISP/Provider DNS attack instead of the actual companies server.
Its a TCP based attack…it would work against servers, routers, anything listening on a tcp ports…
heh, interesting to say the least
Ugh I am an idiot. I keep reading this wrong and thinking its a DNS attack lol.
Kinda frazzled today.
These attacks are based on after the connection is actually established…and fucking with window size and other variables to eat up resources on the server side…and on the attacking size not actually keep the connection open…