IETF Logo Mail Archive

Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 13 July 2022 21:59 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 135A6C14F745 for <ipv6@ietfa.amsl.com>; Wed, 13 Jul 2022 14:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rsbsd7rKa6R for <ipv6@ietfa.amsl.com>; Wed, 13 Jul 2022 14:59:33 -0700 (PDT)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 141DFC14F737 for <ipv6@ietf.org>; Wed, 13 Jul 2022 14:59:33 -0700 (PDT)
Received: by mail-pj1-x102a.google.com with SMTP id o5-20020a17090a3d4500b001ef76490983so332278pjf.2 for <ipv6@ietf.org>; Wed, 13 Jul 2022 14:59:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:from:subject:to:cc :references:content-language:in-reply-to:content-transfer-encoding; bh=BTtZTHnFU724u2V+zpdCh6vm485QOM7hpMpleWIFXjk=; b=Ii6RNqR9a6qRBRhv7W+SgQTopN7aem9kcEuUV5JqtBs8X5twsnBOP8WW6xwZC7pssn 8l9YJR/WrBsJoggVdPJJZ2/wmOv/eKfPaAzI1pixyuwB6wO09zeLGmcBtqCVXR6FRSRa hjR788qx28KqLzwKx+cFsuCsv9Cu2LkzqvIM6sohztzxzN0T7dbhWvD4hXePcNxEHyzy nwWu+hV2laDfA1YFUsmmIVWpwaFVJOgoxzTUELL8cKALd0x+6RsbiMQVZNWMXzAAKKXA 8QjTi3xrGyQKhlyjF34F46R9C3OF/ZM/o204rMURnYqbeXYgrVom0gBLJ5XahvfLYQuc SB8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:from :subject:to:cc:references:content-language:in-reply-to :content-transfer-encoding; bh=BTtZTHnFU724u2V+zpdCh6vm485QOM7hpMpleWIFXjk=; b=e+1o0SWGhvULj78xXrjggzXi3NIUc4y6sNXt+n6W/eGiRD10rPP9zDN5IZEHRs2IMG QYN6adNsn+mksHCgInME/dgCWi+NTcEnqwRyVv+j6v/n16o5VMCxI4LlLndJGHCGLgWH eTDFRVz/HWO+YalapG2M94yn/2hJ53n6e95qn3nfb719m3FXY5+eRlOlaHxaI7y5ljS6 oMBeU7sl1ttDkpbWpuyjE5oOeHsxz9RChXE/u6NcirQTJR9uoFKgovszyniVcbgo5NqG ldlAc/5LHMP2Uf4MCoAnONCorx9MWoVHZcPVOCaYftY6BW0bKcReK8uHwseJRAkZfVQO j9sA==
X-Gm-Message-State: AJIora+Ybz2ogOiTkaa7LdnR4uRIHvzeM/OniRw9qUMTGrNByLUZqxCh 60s41Zd6T3WCLVsMpl1FjbA=
X-Google-Smtp-Source: AGRyM1tDeUPp0KldvG4cuRZurQJTfcoiN/zt27kgswEAW5v1ospD0IdHuV57v6Us0BBMpSiIDzH/HQ==
X-Received: by 2002:a17:903:2344:b0:16c:4331:e5da with SMTP id c4-20020a170903234400b0016c4331e5damr4902354plh.138.1657749572191; Wed, 13 Jul 2022 14:59:32 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id go13-20020a17090b03cd00b001ef9c00e39csm2135166pjb.18.2022.07.13.14.59.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Jul 2022 14:59:31 -0700 (PDT)
Message-ID: <449a95c4-07e2-9fb9-69e7-04cb2d3d8085@gmail.com>
Date: Thu, 14 Jul 2022 09:59:26 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
To: Carsten Bormann <cabo@tzi.org>
Cc: Stuart Cheshire <cheshire@apple.com>, 6man <ipv6@ietf.org>, Ted Lemon <mellon@fugue.com>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net> <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com> <529B863C-BCC9-40C1-A5B8-B0598E7DF17C@tzi.org> <bf8c5c54-d548-a40a-0381-0583ef946f26@gmail.com> <CAPt1N1=4wbqrrzvwdr4FD7awa6pkyffhwRZC3zAWLs7uzY3BJQ@mail.gmail.com> <86509E47-77CE-4210-A1B7-C1E9955D9672@tzi.org> <edc17d00-83c7-25df-d125-14c8f15da172@gmail.com>
Content-Language: en-US
In-Reply-To: <edc17d00-83c7-25df-d125-14c8f15da172@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/l0oULqgwIl0xqUibIavsOdR4jWA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 21:59:34 -0000

I need to back off a bit on what I said below. I've now learnt even more about running asynchronous threads in parallel in Javascript, and there seem to be hidden resource limits. If my script sets off too many HTTP transacations in parallel, the valid [http://fe80::xxxx] fails anyway and the script can't find its target. I have to leave about 1000ms between HTTP GETs for the script to work, which means a maximum scan rate of once per second.

However, somebody who understands Javascript handles asynchronous operations might be able to do better.

IMHO none of this changes the conclusions of the draft.

Regards
     Brian Carpenter

On 05-Jul-22 12:11, Brian E Carpenter wrote:
> On 30-Jun-22 12:06, Carsten Bormann wrote:
>> On 30. Jun 2022, at 02:03, Ted Lemon <mellon@fugue.com> wrote:
>>>
>>> Of course, many browsers will, at this point, notify the user that "a tab is consuming a lot of power”.
>>
>> But are even 1000 parallel threads, each mostly waiting for 3500 ms, consuming a lot of power?
> 
> I couldn't leave it alone, so I learnt a bit more Javascript and figured out how to launch an arbitrary number of threads in parallel (which is surprisingly easy, but stopping them once launched is harder). A few hundred in parallel doesn't even heat the CPU enough for the fan to come on. At around a million, the fan is going like crazy and Firefox is clearly going to fill memory soon, and in fact cannot even shut down the tab where the threads are running. In any case, as Carsten pointed out, because of the need for a timeout, parallelism makes a big difference.
> 
> The sweet spot seems to be about several thousand threads, which is impressive. I estimate from my observations that a carefully designed script could scan about 1000 addresses per second, without alarming the user that something was going on. That would amount to 585 million years to scan a 64 bit space, *but* only 4.6 hours to scan a 24 bit space. (All based on my very ordinary Windows laptop and home network.)
> 
> That's interesting, because it means that there is no realistic risk if using a random 64 bit interface identifier, but a real exposure if using a Modified EUI, since many of the bits are guessable, as discussed in RFC 7707. The numbers above are clearly specific to a particular scenario, but we will mention this point in the draft (update coming very soon).
> 
> Regards
>       Brian

v2.23.0 | Report a Bug | By Email