@@ -725,3 +725,36 @@ filtering. These are commercial products, with many proprietary
725725details, but the general principles outlined here explain their
726726underlying strategy.
727727
728+ Finally, note that this brief overview of DoS attacks is heavily
729+ slanted towards web content, which is to say, attackers are taking
730+ advantage of the HTTP protocol—significant server resources are
731+ consumed responding to bogus GET requests. In general, all protocols
732+ are vulnerable to insidious combinations of packets. For example, IP
733+ can be attacked with a "Christmas Tree" packet, one that has multiple
734+ options turned on (i.e., is "lit up like a Christmas tree"), where
735+ each option requires IP to execute instructions it would not normally
736+ execute to forward a typical packet. A router with a naive
737+ implementation of IP would be at risk of not being able to forward
738+ packets at line speed if it's busy processing the options. For this
739+ reason, routers typically implement a "fast path" that is able to keep
740+ pace with line speeds and a "slow path" that processes exceptional
741+ packets, and most importantly, they are able to quickly determine
742+ which path each packet should be assigned to. This is a variant of the
743+ second countermeasure—decide early to protect resources.
744+
745+ Another well-known example is a "SYN Flood" targeting TCP, whereby an
746+ attacker floods a server with SYN requests without any intent to
747+ complete the TCP handshake and actually establish a connection. This
748+ overloads TCP's connection table, potentially denying connections to
749+ legitimate clients. These examples is just two of many, forcing
750+ protocol implementers to program defensively. Addressing this
751+ challenge ventures outside the scope of this book, but the following
752+ reference explores the problem in more depth.
753+
754+ .. admonition :: Further Reading
755+
756+ X. Qie, R. Pang, and L. Peterson. `Defensive Programming: Using an Annotation Toolkit to Build
757+ DoS-Resistant Software
758+ <https://www.usenix.org/conference/osdi-02/defensive-programming-using-annotation-toolkit-build-dos-resistant-software> `__.
759+ Proceedings of the Fifth Symposium on Operating System Design and Implementation
760+ (OSDI). Usenix. December 2002.
0 commit comments