IETF Logo Mail Archive

Re: [IPsec] IPsec Digest, Vol 123, Issue 21

Tero Kivinen <kivinen@iki.fi> Tue, 19 August 2014 10:24 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4091A8893 for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 03:24:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1W6HBogFdYs for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 03:24:50 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C5EC1A0393 for <ipsec@ietf.org>; Tue, 19 Aug 2014 03:24:50 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s7JAOjR3002406 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 19 Aug 2014 13:24:45 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s7JAOjdA029647; Tue, 19 Aug 2014 13:24:45 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21491.9709.148603.972986@fireball.kivinen.iki.fi>
Date: Tue, 19 Aug 2014 13:24:45 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1408181229340.25715@bofh.nohats.ca>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org> <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com> <21490.4420.127387.489490@fireball.kivinen.iki.fi> <alpine.LFD.2.10.1408181229340.25715@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 3 min
X-Total-Time: 4 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/525-49vraQQhxy8ZLhoJx1Yl9tM
Cc: ipsec@ietf.org, Les Leposo <leposo@gmail.com>
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 10:24:52 -0000

Paul Wouters writes:
> > I.e. the recent connections table has list of IP-address who have
> > tried to connect to you, but have not yet authenticated, i.e. either
> > real devices in the middle of authentication, or attackers. The real
> > devices in the middle of authentication will not try to reconnect, as
> > they are still continuing the process.
> 
> You would need the port number too to support multple clients behind the
> same NAT router, upon which the attacker can then use multiple ports too.

No need for port number. If server is under attack just block / slow
down everybody using the same IP-address (or IP-address mask).

This will block real users out if they are behind the same NAT than
the attacker... On the other hand then the user should fix his home
windows and get rid of the botnet running there :-)

> > This means attacker needs one new routable IP-address for each attack.
> for each 65k attacks.

Nope, one address per attack as you do not store port number (and not
perhaps even full IP-address, especially in IPv6). 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email