Re: Flooding Attacks and MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
Jari Arkko <jari.arkko@piuha.net> Tue, 15 August 2006 19:10 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GD4It-0006rF-Hk; Tue, 15 Aug 2006 15:10:19 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GD4Is-0006rA-V9 for mipshop@ietf.org; Tue, 15 Aug 2006 15:10:18 -0400
Received: from p130.piuha.net ([193.234.218.130]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GD4Iq-0008Q7-Fu for mipshop@ietf.org; Tue, 15 Aug 2006 15:10:18 -0400
Received: from p130.piuha.net (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 3F7D289884; Tue, 15 Aug 2006 22:10:06 +0300 (EEST)
Received: from [127.0.0.1] (p130.piuha.net [193.234.218.130]) by p130.piuha.net (Postfix) with ESMTP id EA06B8984E; Tue, 15 Aug 2006 22:10:05 +0300 (EEST)
Message-ID: <44E21BFD.1080801@piuha.net>
Date: Tue, 15 Aug 2006 22:09:49 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Mozilla Thunderbird 1.0.8 (X11/20060725)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Narayanan, Vidya" <vidyan@qualcomm.com>
Subject: Re: Flooding Attacks and MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
References: <C24CB51D5AA800449982D9BCB903251311A61D@NAEX13.na.qualcomm.com> <44E19A1F.80802@tm.uka.de>
In-Reply-To: <44E19A1F.80802@tm.uka.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 92df29fa99cf13e554b84c8374345c17
Cc: mipshop@ietf.org
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
> > >Yes -- but I believe for TCP this is hard, because it would >> imply being able to guess the sequence numbers. Otherwise the >> session won't even start. There are ways to guess the >> sequence numbers, but at least some of those ways involve >> additional cost for the attacker. >> > > > >I'd somewhat buy that :) I think spoofing the acks can be done, but it >does involve some cost. > > Lets talk about this in more detail. To get a flooding attack with TCP, you need to open a TCP session on behalf of someone else i.e. using a spoofed source address. Just sending a SYN is insufficient, because the TCP session will not start by itself unless you respond to the reply. For most applications you would also have to be able to send some initial data, e.g., HTTP GET. Finally, to get an efficient attack you would need to keep sending at least some ACKs so that TCP gets to a higher speed. For some TCP implementations, it was possible for the attacker to first detect what operating system and version the reflector node uses, open one TCP session from the attacker's true IP address, and then guess what initial sequence number the *next*, spoofed session gets. However, modern implementations should use a randomized initial sequence number which defeats this attack. I do not have a good estimate of how widely this has been implemented and turned on, but I believe it is quite widespread. With randomization, the attacker would have to send a large number of packets to succeed in hitting the right number. For some spoofing attacks it makes sense for an attacker to spend such an effort -- but not when it wants to flood the victim. It is also necessary to avoid the victim node's RST responses from disabling the attack. (See RFC 1948.) Based on the above, I think we have reasonable protection against using TCP in flooding attacks. But I don't dispute the fact that there's probably a fair number of other situations where such attacks are possible. And we have older TCP implementations (but that situation should improve over time). ---- One more follow-up: what the MIPSHOP document does is an improvement over the existing Mobile IPv6 mechanism. But it does not change the fundamental principles of the base protocol, such as whether there should be amplification/flooding attack protection in the RO part. I would suggest that if you believe that a change is needed in this respect we open another discussion about that. That discussion is bigger than the fate of a single optimization. --Jari _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop
- [Mipshop] Review of draft-arkko-mipshop-cga-cba-04 Narayanan, Vidya
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Wassim Haddad
- RE: [Mipshop] Review of draft-arkko-mipshop-cga-c… Narayanan, Vidya
- [Mipshop] Review of draft-arkko-mipshop-cga-cba-04 Lakshminath Dondeti
- RE: [Mipshop] Review of draft-arkko-mipshop-cga-c… Narayanan, Vidya
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Christian Vogt
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Christian Vogt
- Flooding Attacks and MIP6 (was RE: [Mipshop] Revi… Narayanan, Vidya
- CGA-based HoA generation for MIP6 (was RE: [Mipsh… Narayanan, Vidya
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Jari Arkko
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Narayanan, Vidya
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Jari Arkko
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Vijay Devarapalli
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Jari Arkko
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Lakshminath Dondeti
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Narayanan, Vidya
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Wassim Haddad
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Lakshminath Dondeti
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Jari Arkko
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Vijay Devarapalli
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya