Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
James M Snell <jasnell@gmail.com> Fri, 26 April 2013 17:56 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5366521F99D7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 26 Apr 2013 10:56:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.186
X-Spam-Level:
X-Spam-Status: No, score=-10.186 tagged_above=-999 required=5 tests=[AWL=0.413, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l1N1AOC2CjG7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 26 Apr 2013 10:56:07 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id B0E7721F99D1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 26 Apr 2013 10:55:57 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UVmrk-0001IA-MG for ietf-http-wg-dist@listhub.w3.org; Fri, 26 Apr 2013 17:55:24 +0000
Resent-Date: Fri, 26 Apr 2013 17:55:24 +0000
Resent-Message-Id: <E1UVmrk-0001IA-MG@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1UVmrf-0001Fn-VT for ietf-http-wg@listhub.w3.org; Fri, 26 Apr 2013 17:55:20 +0000
Received: from mail-oa0-f44.google.com ([209.85.219.44]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1UVmrf-0002AF-1e for ietf-http-wg@w3.org; Fri, 26 Apr 2013 17:55:19 +0000
Received: by mail-oa0-f44.google.com with SMTP id h1so4286547oag.31 for <ietf-http-wg@w3.org>; Fri, 26 Apr 2013 10:54:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:from:date:message-id:subject:to :content-type; bh=yzwwKON3jJEa4E7kEBoLlwQFgW+LGHwSSMKNMEpEFys=; b=BMhDfhrqDg8SjmaDCGJGKPpQ07VWiDhAEd8iaWw+0sYaxRHV9fqMuD03cevs6lOpWw N3jm/2o4/pOnjsGYMMZ/Ys0YX3XSebwpRkCScON+CsyqAH4cYekbmfCfTSNBo2XirfEd 7GhIeNN0y5xABq80TVW9ZLaFoS4mQrf/zcnxgCStVGbykcOgjQlcPjQJdr33GnPQmljH DQ5z8wjn/DH+4T+2Ti/BD99OdrmvFd46y2eY/NtcYS3iJnxUwvx3OB/4lI1TlzlZM5Rv m5VdHMgZEfTwJ3KDQOmVVgmIGxetnqZuP1JZhFaPQb/jQGAD8x2kf/W5ibtrxzbTLuvk UJ1g==
X-Received: by 10.60.76.234 with SMTP id n10mr23889051oew.63.1366998893147; Fri, 26 Apr 2013 10:54:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.60.3.137 with HTTP; Fri, 26 Apr 2013 10:54:33 -0700 (PDT)
From: James M Snell <jasnell@gmail.com>
Date: Fri, 26 Apr 2013 10:54:33 -0700
Message-ID: <CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.219.44; envelope-from=jasnell@gmail.com; helo=mail-oa0-f44.google.com
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-2.646, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UVmrf-0002AF-1e 680dbce5ef77c681332f34107b916ba7
X-Original-To: ietf-http-wg@w3.org
Subject: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
Archived-At: <http://www.w3.org/mid/CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17610
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
https://github.com/http2/http2-spec/issues/80#issuecomment-17089487 In the current draft (-02), we say that Unknown and unrecognized Frame types MUST be ignored by an endpoint. While this is ok in theory, this can be very dangerous in practice. Specifically, an attacking sender could choose to flood a recipient with a high number of junk frames that use a previously unused type code. Because of the MUST IGNORE rule, these would simply be discarded by the recipient but the damage will already have been done. Flow control actions could help mitigate the problem, but those are only partially effective. Also, the order of processing here for error handling is not clear. Let's say an attacker sends a HEADERS frame to the server initiating a stream. The server sends an RST_STREAM REFUSED_STREAM fully closing the stream. The attacker continues to send JUNK frames for the same stream ID. There are two conditions happening here: 1. The sender is sending frames for a closed stream, which ought to result in an RST_STREAM, but.. 2. The frame type is unknown and unrecognized by the server so MUST be ignored. Which condition takes precedence and how do we mitigate the possible attack vector on this one. - James
- Design Issue: Unknown Frame Type MUST IGNORE rule… James M Snell
- RE: Design Issue: Unknown Frame Type MUST IGNORE … Mike Bishop
- Re: Design Issue: Unknown Frame Type MUST IGNORE … Martin Thomson
- Re: Design Issue: Unknown Frame Type MUST IGNORE … James M Snell
- Re: Design Issue: Unknown Frame Type MUST IGNORE … Martin Thomson
- Re: Design Issue: Unknown Frame Type MUST IGNORE … William Chan (陈智昌)