The common denominator of all bandwidth attacks is the desire to cripple someone else's infrastructure by generating a traffic overload. Bandwidth attacks vary, among other things, in the protocol being used to mount the attack. In addition, attackers can use IP spoofing. As mentioned above, IP spoofing is lying about one's own IP address.
Since routing is done based on the IP destination address only, the IP source address can be anything. In some cases, attackers use one specific forged IP source address on all outgoing IP packets to make all returning IP packets--and possibly ICMP messages--go to the unfortunate owner of that address. Attackers also use IP spoofing to hide their location on the network. Section 7.1 discusses how IP spoofing affects MULTOPS' ability to detect (the source(s) of) attacks.
An attacker can forge an ICMP packet with a spoofed IP source address and launch a ``Smurf'' attack [CC98]: he sends this one forged ICMP packet to a broadcast address and all the receivers respond with a reply to the spoofed IP address (the victim). (A solution is to never reply to ICMP packets that are sent on a broadcast address, or to let routers filter such packets [ea81,ea00].) In a ``Fraggle'' attack, an attacker instructs many zombies to send UDP packets to one victim. Both Smurf and Fraggle attacks can be detected by MULTOPS because in both cases the packet rate to the victim exceeds the packet rate coming back from the victim in a disproportional manner.
There are several types of attack that use TCP. The best known is ``SYN Flooding'' [CC96]. Several solutions have been proposed for solving SYN Floods: lowering the TCP time-out, increasing the number of TCP control blocks, SYN cookies [AH99] that eliminate the need to store information on half-open connections, and special firewalls that buffer SYN packets. Although a SYN Flood is actually a resource attack, it is similar to a bandwidth attack because of the flood of SYN packets.
Another attack works by generating a huge amount of normal traffic by, for example, running a JavaScript program in a browser that pops up a few dozen windows each fetching a Web page from one server. This may constitute a problem if a few thousand people are willing to run this script in their browser simultaneously [ec00]. Such a script could easily spread by means of self-replicating e-mail viruses. (This phenomenon can also occur without it being an attack.)
As mentioned in Section 1, attacks that cripple a victim by sending or receiving a high volume of traffic using proportional flows may go unnoticed by MULTOPS.