It is indeed not well documented.
The reason for that is maybe because stateful firewalls and IPS�s will
simply drop ACK packets participating in this attack ,i.e., out-of-session
Ack packets are dropped, thus the attack is prevented without any specific
log that really identify it.
Regarding in-session Fast Repeat Ack, this type is more difficult to
accurately detect and prevent (but possible of course). Most firewalls and
IPS will not detect it.
You can search for "Ack Storm", you might find more information about it
Avi C
From: jono29@gmail.com
To: focus-ids@securityfocus.com
Subject: Type of Attack Vector
Date: 25 Jan 2006 15:11:22 -0000
Hi List,
I have recently come across a type of attack vector named "Fast Repeat
Ack". Having searched through various sources of information such as MySDN
and MSDN I have been unable to find anything specific to this vector,
although I have found alot of info on the other connection orientated
attacks such as Syn Flood and Half Open Syn.
Any information will be greatly received, and any links to useful sources
appreciated.
Thanks for your time,
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
