[DDub]

Does this require the authentication cookie to be constant? If, for example, I issue a new cookie to the client every connection then this is mitigated?

[ivanr]

No, there isn't a reason why a session cookie needs to remain constant forever. I think rotating the cookie on every request would be challenging (because, at any given time, there may be several requests active), but it's very easy to rotate the cookie every couple of minutes. Such rotation would mitigate all attacks that rely on forcing browsers to submit thousands of requests.

Web applications that use HTTP Authentication cannot be fixed in this way, because you cannot change the password regularly. Other protocols that carry plain-text passwords (after SSL) may be even more vulnerable, for the same reason. For example, authenticated SMTP may be the worst case if the attacker can consistently force an automated client to reconnect and try again.

[tptacek]

That probably does mitigate the attack, with the proviso that a MITM can keep cookies from rotating by preventing requests from hitting the target.

[jessaustin]

If the MITM can do that, it doesn't need to attack cookies does it? It can just impersonate the remote site and steal user-entered credentials. Sharp-eyed users or up-to-date browsers might notice the lack of https for popular sites, and also 2FA, but in general e.g. a malicious WAP has many options.

Or I could be very wrong about this. Please advise.

[tptacek]

No, the MITM can be choosy about what traffic it relays and allow the attack to run without causing any of the connections to complete. Think network-layer MITM instead of transport-layer MITM.

[X-Cubed]

The other catch with that approach is that requests can be simultaneous, fail, and/or arrive out-of-order, so the server would need to accept any authentication cookie that it had recently sent to the client, not just the last one.

Not impossible, but not easy.