Re: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks

Martin Thomson <martin.thomson@gmail.com> Fri, 26 April 2013 18:29 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7263921F9878 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 26 Apr 2013 11:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kg5RVZFwEO3e for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 26 Apr 2013 11:29:52 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7666D21F984C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 26 Apr 2013 11:29:52 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UVnOa-0000bI-6o for ietf-http-wg-dist@listhub.w3.org; Fri, 26 Apr 2013 18:29:20 +0000
Resent-Date: Fri, 26 Apr 2013 18:29:20 +0000
Resent-Message-Id: <E1UVnOa-0000bI-6o@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1UVnOV-0000Zn-61 for ietf-http-wg@listhub.w3.org; Fri, 26 Apr 2013 18:29:15 +0000
Received: from mail-wi0-f179.google.com ([209.85.212.179]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1UVnOU-0003ml-81 for ietf-http-wg@w3.org; Fri, 26 Apr 2013 18:29:15 +0000
Received: by mail-wi0-f179.google.com with SMTP id l13so939414wie.12 for <ietf-http-wg@w3.org>; Fri, 26 Apr 2013 11:28:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=IRGqyOynOsyUwgfka8DjM4aGZtcJIUTtSJ2Oew6yCZI=; b=N5/VHGx9y//aVvlYd5iX7fjHKc8M6Mj7jabWD6jSMs38nzwYgYWrmSeMU5CYyBaY0M VmUrdBDSQT+bpzk+8QHaXZvdriTXg+pBBmZQOAbbjvD6fnpK0tgeJ3FA/Zp0NPZDzCT8 bezmwgW+a+Rz20TOAVUV4j89Eew4tuX9/hADvpJeA1VL/2W8bKVfnri5hfwnDvKyrrFZ sp9fd0/kFK6ZlpilBoEHD5R3wzo+2vYrEDyQONgR/+k1GPi1CVSzYYznb0ass9HQJ6Ls 7esGPR9ATWe3ZcIQYBBC/+E0byRznkiU2D+wDwszfSjpU8f/4Ai/O5B2I5AfEK8GDdCb UwMw==
MIME-Version: 1.0
X-Received: by 10.194.109.227 with SMTP id hv3mr19896281wjb.32.1367000928120; Fri, 26 Apr 2013 11:28:48 -0700 (PDT)
Received: by 10.194.33.102 with HTTP; Fri, 26 Apr 2013 11:28:47 -0700 (PDT)
In-Reply-To: <792356c04b9e498c886252bc44904651@BY2PR03MB025.namprd03.prod.outlook.com>
References: <CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com> <792356c04b9e498c886252bc44904651@BY2PR03MB025.namprd03.prod.outlook.com>
Date: Fri, 26 Apr 2013 11:28:47 -0700
Message-ID: <CABkgnnXSc_7Gg6Ug8nuJEYRWYzoy7CFC1m8dxxToZ28B5M2SbA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
Cc: James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.212.179; envelope-from=martin.thomson@gmail.com; helo=mail-wi0-f179.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.696, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UVnOU-0003ml-81 7f9ccd83be760d7ca8d759ddb75a749e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
Archived-At: <http://www.w3.org/mid/CABkgnnXSc_7Gg6Ug8nuJEYRWYzoy7CFC1m8dxxToZ28B5M2SbA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17612
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Let me know if the text in the current draft leaves that unclear Mike.

For the rest of this issue, I don't see this as a problem that
specifications can address.

If your implementation is ignoring these frames in every sense of the
word, then you are in trouble.  If someone wants to willfully ignore
RST_STREAM, send more frames than your flow control window allows, or
any of these nasty sorts of things, then they are a bad person and you
should be prepared to treat them accordingly.

On 26 April 2013 11:08, Mike Bishop <Michael.Bishop@microsoft.com>; wrote:
> I raised a related issue with Martin, that the FINAL flag is valid in these ignored frames, and the ordering of those rules could lead to disagreement between the peers whether a given stream has been half-closed or not.  We might simply modify the text to say that the payload and frame-specific flags must be ignored, not the entire frame per se.
>
> -----Original Message-----
> From: James M Snell [mailto:jasnell@gmail.com]
> Sent: Friday, April 26, 2013 10:55 AM
> To: ietf-http-wg@w3.org
> Subject: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
>
> https://github.com/http2/http2-spec/issues/80#issuecomment-17089487
>
> In the current draft (-02), we say that Unknown and unrecognized Frame types MUST be ignored by an endpoint. While this is ok in theory, this can be very dangerous in practice. Specifically, an attacking sender could choose to flood a recipient with a high number of junk frames that use a previously unused type code. Because of the MUST IGNORE rule, these would simply be discarded by the recipient but the damage will already have been done. Flow control actions could help mitigate the problem, but those are only partially effective.
>
> Also, the order of processing here for error handling is not clear.
>
> Let's say an attacker sends a HEADERS frame to the server initiating a stream. The server sends an RST_STREAM REFUSED_STREAM fully closing the stream. The attacker continues to send JUNK frames for the same stream ID. There are two conditions happening here:
>
> 1. The sender is sending frames for a closed stream, which ought to result in an RST_STREAM, but..
>
> 2. The frame type is unknown and unrecognized by the server so MUST be ignored.
>
> Which condition takes precedence and how do we mitigate the possible attack vector on this one.
>
> - James
>
>
>