Tony Hain wrote:
you are right that no packet gets duplicated in this scenario and
ultimately the number of packets in equals the number out. But the
attack relies of the technique of stuffing packets in over an extended
interval and then releasing them all towards the destination in a much
shorter time interval.
This makes no sense. The latency is the same for the entire packet chain, so
the delay between the first and last should be the same at the exit, modulo
normal queuing jitter.
Here's an example:
The first N packets do Src -> A -> B -> A -> B -> A -> B ->Dst
The second set of packets do Src -> A -> B -> A -> B ->Dst
The third set of packets do Src -> A -> B ->Dst
Now if you get everything _just right_ in terms of timings (and that
will be tricky) you can get all 3 sets of packets released to the
destination in a burst that is up to 3 x the input packet rate in this
example.
And, yes there are probably simpler DDOS attacks out there! I was simply
trying to explain what the original work and Joe's draft referred to
when they referred to "capacitance attacks".
regards,
Geoff
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
