In our tarpitted session, we simply don't ack any of the post-handshake packets at all, forcing the remote TCP/IP stack to keep trying to send us those same few bytes, but waiting longer each time. If the sending system doesn't get an ACK to a packet sent, it will resend the packet at increasingly longer intervals.
This is to allow connections to deal with packet loss that might occur in a normal session. By design, the connecting system's TCP/IP stack must not send any more data than will fit in our TCP window before waiting for us to ACK the packets sent. In a tarpitted session, we respond to the connection initiation as normal, but we immediately set our TCP window size to just a few bytes in size. Tarpitting works by taking advantage of TCP/IP's idea of window size and state. If the tarpit module is compiled for your Linux kernel, the operation becomes as simple as "iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT". The quickest way to implement tarpitting (if your webserver runs on Linux) is in the Linux netfilter source code.
Http ddos attack tool code#
This idea was first proposed by Tom Liston many years ago when the first scanning worms hit the Internet, and was implemented in his program LaBrea (which he no longer offers for download, due to legal concerns - however, the source code can still be found elsewhere and should work on Linux or BSD-based operating systems). And because the attack consumes resources from the webserver, not just the system TCP/IP stack, it can quickly bring even a well-tuned webserver to its knees unless the target has better-than-average resources at its disposal to help weather the storm (like Spamhaus does).įortunately, most HTTP-based DoS attacks we have seen have a particular weakness - they are vulnerable to a technique known as "tarpitting". While simplistic packet-based attacks can be more easily mitigated upstream, with an HTTP-based attack it is often difficult to distinguish attack traffic from legitimate HTTP requests. This kind of attack is particularly troublesome to deal with. This attack tool doesn't have a command-and-control mechanism, so it was likely force-installed on all the infected systems of an existing botnet. This one is particularly nasty, starting up 1500 threads to send randomized HTTP requests to Spamhaus' webserver in a loop. With some help from our good friends at myNetWatchman we were able to obtain a sample of the malware used in the attack. Recently, the anti-spam organization Spamhaus has come under yet another distributed denial-of-service attack.
0 kommentar(er)
