TCP Ack storm DoS attacks

Raz Abramov, Amir Herzberg

Research output: Contribution to journalArticlepeer-review

16 Scopus citations


We present Ack-storm DoS attacks, a new family of DoS attacks exploiting a subtle design flaw in the core TCP specifications. The attacks can be launched by a very weak MitM attacker, which can only eavesdrop occasionally and spoof packets (a Weakling in the Middle (WitM)). The attacks can reach theoretically unlimited amplification; we measured amplification of over 400,000 against popular web sites before aborting our trial attack. Ack storm DoS attacks are practical. In fact, they are easy to deploy in large scale, especially considering the widespread availability of open wireless networks, allowing an attacker easy WitM abilities to thousands of connections. Storm attacks can be launched against the access network, e.g. blocking address to proxy web server, against web sites, or against the Internet backbone. Storm attacks work against TLS/SSL connections just as well as against unprotected TCP connections, but fails against IPSec or link-layer encrypted connections. We show that Ack-storm DoS attacks can be easily prevented, by a simple fix to TCP, in either client or server, or using a packet-filtering firewall.

Original languageEnglish
Pages (from-to)12-27
Number of pages16
JournalComputers and Security
StatePublished - Mar 2013

Bibliographical note

Publisher Copyright:
© 2012 Elsevier Ltd. All rights reserved.


Many thanks to Charlie Kaufman, Amit Klien and Ben Laurie for their important feedback and encouragement. Amit also introduced us to the earlier work discussing Ack storms (as an undesirable side-effect of TCP hijacking attacks), e.g. Joncheray (1995) . This research was support by grant from the Israeli Science Foundation (ISF) .

FundersFunder number
Israeli Science Foundation


    • Amplification attacks
    • Denial of service
    • Man in the middle
    • Secure network protocols
    • TCP
    • Wi-fi attacks


    Dive into the research topics of 'TCP Ack storm DoS attacks'. Together they form a unique fingerprint.

    Cite this