Re: DoS attack ?

John C Klensin <klensin@jck.com> Thu, 06 December 2001 17:54 UTC

Return-Path: <ietf-irnss-errors@lists.elistx.com>
Received: from ELIST-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0GNX00704OEFN1@eListX.com> (original mail from klensin@jck.com); Thu, 06 Dec 2001 12:54:15 -0500 (EST)
Received: from CONVERSION-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0GNX00701OEDMV@eListX.com> for ietf-irnss@elist.lists.elistx.com (ORCPT ietf-irnss@lists.elistx.com); Thu, 06 Dec 2001 12:54:14 -0500 (EST)
Received: from DIRECTORY-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0GNX00701OECMT@eListX.com> for ietf-irnss@elist.lists.elistx.com (ORCPT ietf-irnss@lists.elistx.com); Thu, 06 Dec 2001 12:54:12 -0500 (EST)
Received: from bs.jck.com ([209.187.148.211]) by eListX.com (PMDF V6.0-025 #44856) with ESMTP id <0GNX0070MOEBL5@eListX.com> for ietf-irnss@lists.elistx.com; Thu, 06 Dec 2001 12:54:11 -0500 (EST)
Received: from [209.187.148.217] (helo=P2) by bs.jck.com with esmtp (Exim 3.22 #1) id 16C2f1-000Gyw-00; Thu, 06 Dec 2001 17:50:15 +0000
Date: Thu, 06 Dec 2001 12:50:14 -0500
From: John C Klensin <klensin@jck.com>
Subject: Re: DoS attack ?
In-reply-to: <20011207023529.J29209@spsoft.co.kr>
To: YangWoo Ko <newcat@spsoft.co.kr>
Cc: ietf-irnss@lists.elistx.com
Message-id: <125008037.1007643014@P2>
MIME-version: 1.0
X-Mailer: Mulberry/2.1.1 (Win32)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Content-disposition: inline
References: <20011207023529.J29209@spsoft.co.kr>
List-Owner: <mailto:ietf-irnss-help@lists.elistx.com>
List-Post: <mailto:ietf-irnss@lists.elistx.com>
List-Subscribe: <http://lists.elistx.com/ob/adm.pl>, <mailto:ietf-irnss-request@lists.elistx.com?body=subscribe>
List-Unsubscribe: <http://lists.elistx.com/ob/adm.pl>, <mailto:ietf-irnss-request@lists.elistx.com?body=unsubscribe>
List-Archive: <http://lists.elistx.com/archives/ietf-irnss>
List-Help: <http://lists.elistx.com/elists/admin.shtml>, <mailto:ietf-irnss-request@lists.elistx.com?body=help>
List-Id: <ietf-irnss.lists.elistx.com>

--On Friday, 07 December, 2001 02:35 +0900 YangWoo Ko
<newcat@spsoft.co.kr> wrote:

> On Thu, Dec 06, 2001 at 12:15:01PM -0500, John C Klensin wrote:
>>   A search in that search layer can specify values for any
>>   combination of facets that the searcher, or search-vendor,
>>   finds appropriate.  Leaving one out is equivalent to "match
>>   anything that happens to be there".
> 
> Dear John Klensin,
> 
> What will happen if I send a query with {null, null, ...}
> tuple ? Can I download the whole database ? It looks like a
> very easy DoS attack.

I thought I had explained this in the "dns search" document, but
I think that any sensible search system vendor would prohibit
that case, presumably by returning an "are you crazy?" error
message.  It might even be sensible to require that at least a
name-string be present as a protocol matter (I think "dns
search" suggests that).  With or without such a protocol
restriction, I'd expect search system vendors to be able to
protect themselves against both DOS attacks and excessive data
mining by recognizing over-broad searches and prohibiting them. 

Note that, in principle, one could accomplish a "return the
whole internet" query by

   { {name-string "foo" ReallyBigNumber } 
     } ReallyBigNumber }

So just requiring that the name-string facet be present doesn't
help much if one permits arbitrarily-great distance between the
query string and strings in the database.

( In that notation, your (null, null, null,...) search on a
single database would be

   { { } 0 }
.)

    john