Re: [MMUSIC] ICE TCP and TCP amplification attack (mitigation)

Ari Keranen <ari.keranen@nomadiclab.com> Wed, 25 May 2011 11:04 UTC

Return-Path: <ari.keranen@nomadiclab.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72A3CE0690 for <mmusic@ietfa.amsl.com>; Wed, 25 May 2011 04:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkdVsJbDjMvB for <mmusic@ietfa.amsl.com>; Wed, 25 May 2011 04:04:12 -0700 (PDT)
Received: from gw.nomadiclab.com (unknown [IPv6:2001:14b8:400:101::2]) by ietfa.amsl.com (Postfix) with ESMTP id 595CAE0681 for <mmusic@ietf.org>; Wed, 25 May 2011 04:04:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by gw.nomadiclab.com (Postfix) with ESMTP id 8BA024E6E1; Wed, 25 May 2011 14:04:08 +0300 (EEST)
X-Virus-Scanned: amavisd-new at nomadiclab.com
Received: from gw.nomadiclab.com ([127.0.0.1]) by localhost (inside.nomadiclab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Z3Thf6PEnAC; Wed, 25 May 2011 14:04:07 +0300 (EEST)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by gw.nomadiclab.com (Postfix) with ESMTP id 8EBB24E6D8; Wed, 25 May 2011 14:04:07 +0300 (EEST)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Ari Keranen <ari.keranen@nomadiclab.com>
In-Reply-To: <002901cc1976$d8b86420$8a292c60$@com>
Date: Wed, 25 May 2011 14:04:07 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <FFC51B02-765C-4C46-B6D9-7E0A2452C8D5@nomadiclab.com>
References: <F47EF2BF-FF8B-4E28-BC9D-F2258790BBE5@nomadiclab.com> <002901cc1976$d8b86420$8a292c60$@com>
To: Dan Wing <dwing@cisco.com>
X-Mailer: Apple Mail (2.1084)
Cc: 'mmusic WG' <mmusic@ietf.org>
Subject: Re: [MMUSIC] ICE TCP and TCP amplification attack (mitigation)
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2011 11:04:13 -0000

On May 23, 2011, at 9:25 PM, Dan Wing wrote:
>> -----Original Message-----
>> From: mmusic-bounces@ietf.org [mailto:mmusic-bounces@ietf.org] On
>> Behalf Of Ari Keranen
>> Sent: Thursday, May 19, 2011 7:29 AM
>> To: mmusic WG
>> Subject: [MMUSIC] ICE TCP and TCP amplification attack (mitigation)
>> 
>> Hi all,
>> 
>> Flemming identified a possible TCP amplification attack in ICE TCP:
>> 
>> On May 10, 2011, at 5:06 AM, Flemming Andreasen wrote:
>>> - Section 12
>>> I believe there is a TCP amplification attack similar to the STUN
>> amplification attack that requires consideration, since the TCP
>> connection is established prior to any STUN/ICE checks and involves TCP
>> state creation on the part of the attacked party.
>> 
>> That is, an attacker could put in the SDP offer a set of passive
>> reflexive candidates with the address of the victim and the answerer
>> would make a bunch of TCP connections towards the victim.
> 
> That attack is inherent to ICE itself, and not the fault or cause of
> the TURN-TCP specification.  If text is added to TURN-TCP, it would
> be nice to couch it with something like:
> 
>  A STUN amplification attack is described in Section 18.5.2 of 
>  [RFC5245], but unfortunately that specification did not describe
>  how [RFC5245] can also be used to launch a TCP amplification
>  attack.  
> 
> and the describe how TURN-TCP is but one way the TCP amplification
> could be launched.  The other way is that RFC5245 could be used
> without TURN-TCP.

I guess this is not really problem with TURN-TCP, but rather with ICE TCP, whether you use TURN or not. But you're right, the basic amplification attack is inherent to ICE itself. TCP just makes it worse since the victim needs to create TCP connection state instead of just dropping unsolicited UDP packets. Maybe we could say something along the lines of:

  A STUN amplification attack is described in Section 18.5.2 of [RFC5245]. Same considerations apply to TCP, but the amplification effect with TCP is larger due to need for establishing a TCP connection before any checks are performed. Therefore, an ICE agent SHOULD NOT have more than X outstanding TCP connection attempts with the same peer to the same IP address.


Regarding this attack, we could also add to the end of section 7.1 (STUN Client Procedures) in ICE TCP something like:

[once the connection is established] if the peer's response to the connectivity check is something else than a STUN message, the agent MUST close the connection and consider all pairs with that remote candidate as failed.

(since apparently the remote candidate was not an ICE agent, but could be a victim of a DoS attack)

>> A possible mitigation, as Flemming suggested, would be to limit the
>> number of outstanding TCP connection attempts to the same IP-address.
>> That sounds reasonable to me, since having many (un-frozen) candidates
>> from the same IP address seem unlikely anyway, but are there any other
>> ideas?
> 
> That sounds like a good approach.  

OK, then we'd need a recommended number; how many outstanding attempts to the same IP address do we allow?

Technically, one should be enough for all "normal" cases (right?), but maybe, e.g., more than one interface may in fact be behind the same CGN so more could be useful in some scenarios. How about 5? That should be enough for even more exotic cases, but yet make any DoS attack pretty weak.

> I wonder if Errata should be raised against RFC5245, instead or in
> addition?

Do you mean that RFC5245 should also mention the added effect of TCP?

Anyhow, probably also 5245(bis) could limit the number of outstanding checks to the same IP address even if UDP is used and consider non-STUN responses as a sign of invalid candidate, as discussed above.


Cheers,
Ari