Channel-Stuffing Attacks

A Channel-Stuffing attack is an instance of a Resource Consumption Attack(RCA) in which a service component is identified as having a limit, and the system is pushed over that limit.

Typical denial of service attacks are unsophisticated “smash and bash” attempts directed mostly at overloading communications bandwidth. They have numerous disadvantages: first and foremost you give away the IP addresses of the botnet that you are using, which invites responders back-tracking the command and control. Secondly, there are well-known techniques for blocking most of them, and most interesting servers will be designed to scale up or resist the attacks.

When you are doing your target analysis, look for any discrete transaction that is performed. Are shopping carts created? Are sessions created? Are there contact pages? Are there submission forms? What gets submitted and how do you think it is processed? Any place in which transactional information is collected should be thought of as a channel into which things can be stuffed. And all channels have limited bandwidth. All database servers have a maximum number of connections that they can pool. Every maximum thing in the system is a point of attack.

For maximum damage, channel-stuffing attacks should be coupled with a disambiguation cost attack.