Buffer Bloat, a minis to the TCP protocol

Today I would like to take a minute of your time and talk about Bandwidth usage and a little known  phenomenon called Buffer Bloat.

 

What is Buffer bloat and what does it effect?

 

Buffer bloat is the product whereby excess buffering of packets inside the network causes high latency and jitter, as well as reducing the overall network throughput. Buffer bloat occurs when a network link becomes congested, causing packets to become queued in the buffer of a router or switch. As traffic passes from one router to another this buffering can become amplified. Amplification of Buffer bloat happens as each router segment buffers the netflows, the more router segments between the endpoints the larger the bloat can grow. The problem is caused mainly by router and switch manufacturers making incorrect assumptions and buffering packets for too long in cases where they should be dropped. Dropping packets is not always a bad thing. TCP is built so that when packets are dropped the protocol slows the transmission down. Transmission speeds up and slows down until it finds an equilibrium equal to the speed of the link. However, for this to work the packet drops must occur in a timely manner and buffering packets negates this process.

 

In a network buffer (router memory), packets are queued before being transmitted and in the problematic situation packets are only dropped if the buffer is full. With the advent of cheap RAM router manufactures have been adding more and more RAM to their systems allowing for larger and larger buffers. On older routers, buffers were fairly small so they filled quickly and therefore packets began to drop shortly after the link became saturated, the TCP protocol could adjust, and the issue wouldn’t become apparent. On newer routers buffers have become large enough to hold several megabytes of data, which translates to 10 seconds or more at a 1 Mbit/s line rate.

 

The problem is not limited to just TCP, these problems also affects other protocols. All packets passing through a simple buffer implemented as a single queue will experience the same delay, so the latency of any connection that passes through a filled buffer will be affected, this includes protocols like ICMP and UDP.  If you have read this please send me a email back, I would like to see how many of us out there read this far.

 

Want to learn more about Buffer bloat and how it effect endpoints and company networks? Please visit this article on Buffer bloat at http://gettys.wordpress.com/2010/12/03/introducing-the-criminal-mastermind-bufferbloat/

 

 

Turning DNS into a weapon of mass destruction

I wanted to send out a little blurb about the latest attack on Spamhaus this week and to enlighten you on just how something like this is done. Don’t we all love to learn new things!

 

As a lot of you have been hearing, Spamhaus was attacked this week by the group Anonymous with what is commonly known as a DNS Reflection attack. What is a DNS reflection attack you ask? Let’s me explain.  DNS reflection AKA DNS Amplification is a process where an attacker makes requests to open DNS servers on the internet (4.2.2.2) using spoofed IP address as the address the request comes from.   This in turn generates a set of packets back to the spoofed address (the victim) with the results of the DNS query. On the top this would look to be fairly harmless, the only thing really being done here is a fake requests that spawn a reply from the public DNS server back to the victim.

 

The attack come in the form of the “Amplification effect” that these queries have on your network. The “amplification” in DNS amplification attacks is generated by the size of those responses. While a DNS lookup request itself is fairly small, the resulting response of a recursive DNS lookup can be much larger. A relatively small number of attacking systems sending a trickle of forged UDP packets to open DNS servers can result in a firehose of data being blasted at the victim. A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes, amplifying the response packet by a factor of 60 so you can quickly see that with a few systems under ones control you could drop a DDOS on any network that would cripple their router and take down their network access.

 

 

So now you know, enjoy the knowledge.

 

Cubert. 😎