Re: General denial question (tarpitting)

[Alex Satrapa <alex@lintelsys.com.au>]

Daniel Chemko wrote:
> Check out the Patch-o-matic enhancements to netfilter.
> TARPIT? Check.

>> Charlie Braddy wrote, on the qpsmtpd list, which is about
>> a perl drop-in replacement for qmail-smtpd:
>>
>>> If you are going to undertake the noble task of sucking up their 
>>> bandwidth, then I'd suggest that you do the job thoroughly, and make 
>>> sure that their TCP stack decides to retransmit as many packets as 
>>> possible. Use iptables (for instance) to selectively/randomly drop 
>>> packets.

Note that any kind of packet loss as high as 5% will cause the TCP stream to wither and die. I'm not sure of the exact numbers, but if 1 in 20 packets goes missing, you'll find the TCP flow-control ends up backing off more than it regains through the slow-start mechanism. Remember, TCP treats packet loss as a symptom of congestion. The protocol cannot handle sustained packet loss for any other reason.

TARPIT simply causes the transmission to cease by setting the window size to 0. TARPIT achieves DoS only if enough "targetted" sites use the TARPIT option, thus depriving the originator or system resources (required for tracking the connection). TARPIT keeps the connection alive (ACK packets flow freely), but prevents the resources being released, since the data isn't flowing.

Neither packet loss nor TARPIT will result in a demand-side bandwidth DoS.

If you want to achieve DoS by continual retransmission, you'll have to keep sending back ACKs for one particular sequence number, claiming a very large window.