This is a really, really old attack. One way to protect against this is by limiting the number of open connections per IP. So if you can have up to 30000 sockets open in your process, 30 per IP is plenty to prevent most attackers.
IPv6 changes this a bit, so one might want to do a limit per subnet, say 30 per /64.
DigitalOcean hands out /124s. Then they realized that blackholes were hitting multiple droplets (VMs) at once because people blackhole entire /64s, so their solution was to block ports on IPv6 instead of doing the sensible thing and handing out /64s to the droplets instead.
It seems like the author thought his work was novel because he discovered using a firewall to stop a local client from sending FIN or RST. Of course, this is a triviality if you understand how to craft this type of attack using raw packets/custom TCP code.
16 comments
[ 3.8 ms ] story [ 55.1 ms ] threadEdit: With Slowloris it looks like the connection isn't closed client side though?
Although I'm just wondering they're dropping the FINs anyway.
IPv6 changes this a bit, so one might want to do a limit per subnet, say 30 per /64.
Works great until your users use an ISP that hands out /128 rather than /64
Seriously? Who even hands out one single /64 or smaller? it's not like handing out /48s instead is going to deplete the IPv6 pool space [0].
[0] https://www.wolframalpha.com/input/?i=2%5E48+%2F+people+on+e...
Budget VPS/dedicated server providers, such as OVH: https://www.kimsufi.com/en/servers.xml
(And yeah, this is a classic failure mode of TCP...)