RE: DoS attack ?

Nicolas Popp <nico@realnames.com> Thu, 06 December 2001 18:14 UTC

Return-Path: <ietf-irnss-errors@lists.elistx.com>
Received: from ELIST-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0GNX00804PBW53@eListX.com> (original mail from nico@realnames.com); Thu, 06 Dec 2001 13:14:21 -0500 (EST)
Received: from CONVERSION-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0GNX00801PBV51@eListX.com> for ietf-irnss@elist.lists.elistx.com (ORCPT ietf-irnss@lists.elistx.com); Thu, 06 Dec 2001 13:14:19 -0500 (EST)
Received: from DIRECTORY-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0GNX00801PBU50@eListX.com> for ietf-irnss@elist.lists.elistx.com (ORCPT ietf-irnss@lists.elistx.com); Thu, 06 Dec 2001 13:14:18 -0500 (EST)
Received: from friendly.realnames.com (friendly.realnames.com [63.251.238.102]) by eListX.com (PMDF V6.0-025 #44856) with SMTP id <0GNX00747PBTL5@eListX.com> for ietf-irnss@lists.elistx.com; Thu, 06 Dec 2001 13:14:18 -0500 (EST)
Received: (qmail 5892 invoked by uid 104); Thu, 06 Dec 2001 18:11:45 +0000
Received: from nico@realnames.com by friendly.realnames.com with qmail-scanner-0.96 (. Clean. Processed in 0.836226 secs); Thu, 06 Dec 2001 18:11:45 +0000
Received: from heaven.internal.realnames.com (10.1.5.39) by friendly.realnames.com with SMTP; Thu, 06 Dec 2001 18:11:44 +0000
Received: From RINCON.INTERNAL.REALNAMES.COM (10.1.5.99[10.1.5.99 port:3559]) by heaven.internal.realnames.com Mail essentials (server 2.422) with SMTP id: <159874@heaven.internal.realnames.com> for <newcat@spsoft.co.kr>; Thu, 06 Dec 2001 10:07:57 +0000 (AM)
Received: by rincon.centraal.com with Internet Mail Service (5.5.2653.19) id <XHJ5GX2L>; Thu, 06 Dec 2001 10:11:14 -0800
Date: Thu, 06 Dec 2001 10:09:54 -0800
From: Nicolas Popp <nico@realnames.com>
Subject: RE: DoS attack ?
To: 'John C Klensin' <klensin@jck.com>, YangWoo Ko <newcat@spsoft.co.kr>
Cc: ietf-irnss@lists.elistx.com
Message-id: <7FC3066C236FD511BC5900508BAC86FE4364D0@trestles.internal.realnames.com>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-type: text/plain; charset=iso-8859-1
List-Owner: <mailto:ietf-irnss-help@lists.elistx.com>
List-Post: <mailto:ietf-irnss@lists.elistx.com>
List-Subscribe: <http://lists.elistx.com/ob/adm.pl>, <mailto:ietf-irnss-request@lists.elistx.com?body=subscribe>
List-Unsubscribe: <http://lists.elistx.com/ob/adm.pl>, <mailto:ietf-irnss-request@lists.elistx.com?body=unsubscribe>
List-Archive: <http://lists.elistx.com/archives/ietf-irnss>
List-Help: <http://lists.elistx.com/elists/admin.shtml>, <mailto:ietf-irnss-request@lists.elistx.com?body=help>
List-Id: <ietf-irnss.lists.elistx.com>

You can also do what most search engines would.
You return a (small) range of ranked results in the set of results and your
last result is a referral back to you for the next range in the set...Then
you try to detect automated crawlers that recursively follow the referrals
and slow them down to a halt.

So, just from that standpoint, it could be useful for the protocol to
support the notion of results set range (query) as well as referral
(response).

-Nico

-----Original Message-----
From: John C Klensin [mailto:klensin@jck.com]
Sent: Thursday, December 06, 2001 9:50 AM
To: YangWoo Ko
Cc: ietf-irnss@lists.elistx.com
Subject: Re: DoS attack ?


--On Friday, 07 December, 2001 02:35 +0900 YangWoo Ko
<newcat@spsoft.co.kr> wrote:

> On Thu, Dec 06, 2001 at 12:15:01PM -0500, John C Klensin wrote:
>>   A search in that search layer can specify values for any
>>   combination of facets that the searcher, or search-vendor,
>>   finds appropriate.  Leaving one out is equivalent to "match
>>   anything that happens to be there".
> 
> Dear John Klensin,
> 
> What will happen if I send a query with {null, null, ...}
> tuple ? Can I download the whole database ? It looks like a
> very easy DoS attack.

I thought I had explained this in the "dns search" document, but
I think that any sensible search system vendor would prohibit
that case, presumably by returning an "are you crazy?" error
message.  It might even be sensible to require that at least a
name-string be present as a protocol matter (I think "dns
search" suggests that).  With or without such a protocol
restriction, I'd expect search system vendors to be able to
protect themselves against both DOS attacks and excessive data
mining by recognizing over-broad searches and prohibiting them. 

Note that, in principle, one could accomplish a "return the
whole internet" query by

   { {name-string "foo" ReallyBigNumber } 
     } ReallyBigNumber }

So just requiring that the name-string facet be present doesn't
help much if one permits arbitrarily-great distance between the
query string and strings in the database.

( In that notation, your (null, null, null,...) search on a
single database would be

   { { } 0 }
.)

    john