A secure democratic Net is a fundamental right

We will have to read more about state holding attacks now that this method of attacking internetconnected 'things' seems possible with very little firepower

* some history about this with phrack magazine

* Steps Towards a DoS-resistant Internet Architecture  Mark Handley states that with his solution of a state-setup bit in the IP header such attacks would not be possible if they would be integrated with routers and statefull firewalls. I think this professor can break his big mind over this kind of thing.

* the old CERT advisory about TCP/IP DDOS

* another solution to think off is maybe here "Abstract;In this paper, we propose techniques to realize high-speed hardware based TCP-stream-level pattern match unit for NIDS while increasing the tolerance against state-holding attacks. Since state of each stream is necessary for TCP-stream-level matching, it would be a target of state-holding attacks. By combining the SBT method [1] with bi-directional scanning technique, packet loss and reorder can be managed with small amount of memory. Using packet signature, virtually strict retransmission consistency check can be done while reducing the memory usage. As a result, the tolerance against state-holding attacks is increased.

* In this article from Microsoft research about Generic Application Protocol analyser that should defend against even the most genius of attacks, the following sentence seems to be some good advice for all protocol analyzers (minimize state)  "We must therefore protect online, real-time operations of GAPA by minimizing the amount of state it maintains for protocol analysis. Furthermore, we must also ensure that GAPA’s interpretation of the protocol context is consistent with that of the application, even in the face of carefully crafted, malicious traffic"

* also essential reading is this course about IDS evading or attacking of which such attacks are one of the possible ways to do it. But as you remember the technique opens a whole bunch of new methods to get machines, and security devices, down

* and maybe we should start thinking about this kind of tool (another layer of defense) "Another technique for resisting evasion is to introduce a "traffic normalizer": a network forwarding element (i.e., a "bump in the wire") that attempts to eliminate ambiguous network traffic and reduce the amount of connection state that the monitor must maintain. Unlike a firewall, the primary function of a normalizer is to aid the IDS monitor rather than to selectively filter traffic, but if desired the functionality could be combined with a firewall into a single element." If I understand it correctly this box would normalize the traffic before it reaches the analyzing boxes and would already fend off traffic that is malformed or seems to do only stupid, wrong or bad things without letting it influence the real defense boxes. Maybe routers should do that. Maybe routers are for the moment too much only bystanders in this 'war' and should more become 'soldiers' instead of  'gateways' for attack traffic.

* Robust TCP Stream Reassembly In the Presence of Adversaries is another interesting paper (it seems that those problems are already quite old by the way but now seem to get a sense of urgency)

*The people around DCCP in the internet draft circles seem also very busy with state holding attacks