Slow Read DoS attack analysis

TCP Flow Control

From this article, let's see some basic stuff for TCP related. In RFC 793, there are comment for 'flow control' as following :

RFC 793 

https://tools.ietf.org/html/rfc793#page-15

flow Control:

TCP provides a means for the receiver to govern the amount of data sent by the sender. This is achieved by returning a "window" with every ACK indicating a range of acceptable sequence numbers beyond the last segment successfully received.  The window indicates an allowed number of octets that the sender may transmit before receiving further permission.

In TCP header, there are Window and Control field which can be used for flow control.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Source Port          |       Destination Port        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Sequence Number                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Acknowledgment Number                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Checksum            |         Urgent Pointer        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            TCP Header Format

Window:  16 bits
The number of data octets beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.

Sliding window

WINDOW AND ACKNOWLEDGEMENT STRATEGY IN TCP : http://www.ietf.org/rfc/rfc813.txt

The window mechanism is a flow control tool.  Whenever appropriate, the  recipient of data returns to the sender a number, which is (more or less) the size of the buffer which the receiver currently has  available for  additional  data.   This number of bytes, called the window, is the maximum which the sender is permitted to  transmit  until  the  receiver returns  some additional  window.

http://www.omnisecu.com/tcpip/tcp-sliding-window.php

• The sending device can send all packets within the TCP window size without receiving an ACK, and should start a timeout timer for each of them.

• The receiving device should acknowledge each packet it received, indicating the sequence number of the last well-received packet. After receiving the ACK from the receiving device, the sending device slides the window to right side.

Slow Read DoS attack

• Reference : http://sdiwc.us/digitlib/journal_paper.php?paper=00001342.pdf

Slow Read DoS attach is one of slow HTTP attack. When the Web server keeps too many resources busy, this situation becomes like DoS attacks. To realize this malicious condition, the attacker can take following two types of techniques. 

1) The technique of sending request slowly 

2) The technique of reading response slowly

Example

{{ TBD }}

References :

https://en.wikipedia.org/wiki/Transmission_Control_Protocol

http://www.rhyshaden.com/tcp.htm

http://www.tcpipguide.com/free/t_TCPMessageSegmentFormat-3.htm

https://www.youtube.com/watch?v=ADiuHeoT2GA

http://www.freesoft.org/CIE/Course/Section4/8.htm