This lesson explains protocol and state-exhaustion attacks: stealthy, low-bandwidth methods that exhaust server-side resources like connection tables, thread pools, and TLS contexts. It covers classic examples (SYN floods, Slowloris, TLS handshake abuse, SIP INVITEs), how botnets orchestrate them, and practical detection and mitigation strategies.
Protocol and State-Exhaustion Attacks — The Slow, Sneaky Killers of Availability Hook: Imagine a nightclub with an ultra-tight bouncer at the door. A flood of rowdy people (volumetric attacks) would obviously overwhelm the place — you block the entrance with a wall of armed security (CDNs, scrubbi...
This lesson builds on the DoS/DDoS fundamentals and the volumetric patterns you studied earlier. Volumetric attacks smash bandwidth; protocol/state-exhaustion attacks starve the server's state — connection tables, thread pools, TLS contexts, SIP call states — often with low bandwidth and high cunni...
What are Protocol and State-Exhaustion Attacks? (Short Version) Protocol attacks abuse weaknesses or normal behavior of network protocols (TCP, TLS, SIP, HTTP) to force servers or network devices to allocate or hold resources. State-exhaustion attacks aim to deplete finite server-side state: co...
Classic Examples (and why they work) 1) TCP SYN Flood (the textbook state-exhaustion move) TCP handshake: SYN -> SYN-ACK -> ACK. The server allocates a TCB when it receives SYN and waits for ACK. If an attacker sends many SYNs (often with spoofed source IPs), the server's backlog fills with h...
How Protocol Attacks Differ from Volumetric and App-Layer Attacks Attack type Primary target Bandwidth Detection difficulty Volumetric Network pipes (bandwidth) High Medium — obvious at scale Protocol / State Connection tables, thread pools, TLS contexts Low–Medium Hard — ...
How Botnets Orchestrate These Attacks (and why it's scary) Botnets provide distribution: many source IPs, diverse geographic and network origins, making simple IP blocking ineffective. Well-orchestrated bots can stagger connection open times to keep server state perpetually occupied without tri...
Practical Detection and Mitigation Checklist Network-level Monitor SYN_RECV counts and half-open connections (netstat, ss). Use SYN cookies/synproxy on edge devices. Transport and TLS Enforce TLS session resumption, rate-limit handshakes, offload TLS. Application Use reverse proxies/l...
Contrasting Perspectives: Throw Money vs. Tighten Controls Some argue the scalable defense is "throw more infrastructure" (CDNs, scalable load balancers). That's effective for volumetric attacks but is cost-inefficient against state-exhaustion tactics. Others favor protocol hardening (SYN cooki...
10 study modes available based on your content