Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks

James M Snell <jasnell@gmail.com> Fri, 26 April 2013 17:56 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5366521F99D7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 26 Apr 2013 10:56:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.186
X-Spam-Level:
X-Spam-Status: No, score=-10.186 tagged_above=-999 required=5 tests=[AWL=0.413, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l1N1AOC2CjG7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 26 Apr 2013 10:56:07 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id B0E7721F99D1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 26 Apr 2013 10:55:57 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UVmrk-0001IA-MG for ietf-http-wg-dist@listhub.w3.org; Fri, 26 Apr 2013 17:55:24 +0000
Resent-Date: Fri, 26 Apr 2013 17:55:24 +0000
Resent-Message-Id: <E1UVmrk-0001IA-MG@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1UVmrf-0001Fn-VT for ietf-http-wg@listhub.w3.org; Fri, 26 Apr 2013 17:55:20 +0000
Received: from mail-oa0-f44.google.com ([209.85.219.44]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1UVmrf-0002AF-1e for ietf-http-wg@w3.org; Fri, 26 Apr 2013 17:55:19 +0000
Received: by mail-oa0-f44.google.com with SMTP id h1so4286547oag.31 for <ietf-http-wg@w3.org>; Fri, 26 Apr 2013 10:54:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:from:date:message-id:subject:to :content-type; bh=yzwwKON3jJEa4E7kEBoLlwQFgW+LGHwSSMKNMEpEFys=; b=BMhDfhrqDg8SjmaDCGJGKPpQ07VWiDhAEd8iaWw+0sYaxRHV9fqMuD03cevs6lOpWw N3jm/2o4/pOnjsGYMMZ/Ys0YX3XSebwpRkCScON+CsyqAH4cYekbmfCfTSNBo2XirfEd 7GhIeNN0y5xABq80TVW9ZLaFoS4mQrf/zcnxgCStVGbykcOgjQlcPjQJdr33GnPQmljH DQ5z8wjn/DH+4T+2Ti/BD99OdrmvFd46y2eY/NtcYS3iJnxUwvx3OB/4lI1TlzlZM5Rv m5VdHMgZEfTwJ3KDQOmVVgmIGxetnqZuP1JZhFaPQb/jQGAD8x2kf/W5ibtrxzbTLuvk UJ1g==
X-Received: by 10.60.76.234 with SMTP id n10mr23889051oew.63.1366998893147; Fri, 26 Apr 2013 10:54:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.60.3.137 with HTTP; Fri, 26 Apr 2013 10:54:33 -0700 (PDT)
From: James M Snell <jasnell@gmail.com>
Date: Fri, 26 Apr 2013 10:54:33 -0700
Message-ID: <CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass client-ip=209.85.219.44; envelope-from=jasnell@gmail.com; helo=mail-oa0-f44.google.com
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-2.646, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UVmrf-0002AF-1e 680dbce5ef77c681332f34107b916ba7
X-Original-To: ietf-http-wg@w3.org
Subject: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
Archived-At: <http://www.w3.org/mid/CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17610
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

https://github.com/http2/http2-spec/issues/80#issuecomment-17089487

In the current draft (-02), we say that Unknown and unrecognized Frame
types MUST be ignored by an endpoint. While this is ok in theory, this
can be very dangerous in practice. Specifically, an attacking sender
could choose to flood a recipient with a high number of junk frames
that use a previously unused type code. Because of the MUST IGNORE
rule, these would simply be discarded by the recipient but the damage
will already have been done. Flow control actions could help mitigate
the problem, but those are only partially effective.

Also, the order of processing here for error handling is not clear.

Let's say an attacker sends a HEADERS frame to the server initiating a
stream. The server sends an RST_STREAM REFUSED_STREAM fully closing
the stream. The attacker continues to send JUNK frames for the same
stream ID. There are two conditions happening here:

1. The sender is sending frames for a closed stream, which ought to
result in an RST_STREAM, but..

2. The frame type is unknown and unrecognized by the server so MUST be ignored.

Which condition takes precedence and how do we mitigate the possible
attack vector on this one.

- James