Re: [MMUSIC] ICE TCP and TCP amplification attack (mitigation)

"Dan Wing" <dwing@cisco.com> Wed, 25 May 2011 16:02 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB804E0755 for <mmusic@ietfa.amsl.com>; Wed, 25 May 2011 09:02:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.481
X-Spam-Level:
X-Spam-Status: No, score=-110.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6M7hheTo8QB5 for <mmusic@ietfa.amsl.com>; Wed, 25 May 2011 09:02:56 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by ietfa.amsl.com (Postfix) with ESMTP id 2C390E0718 for <mmusic@ietf.org>; Wed, 25 May 2011 09:02:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=4590; q=dns/txt; s=iport; t=1306339376; x=1307548976; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=ujeudhTwRjTY1T3Vm4CGiaULo6im58qU7ui0eUYyMK0=; b=kBeDT2E0fbMe15QnOe3QjoGxL1Vdkqg2M0gD6DbN49JGe6Zshq2hQrii /LbPS51dVbeqjQP7h4TtxrGjqYAB7NkduGHoyJyHC+bwWcOLsiLnrC0w4 ZqztWhQQH2xBz+vWbVuvQhtX4kgbs8iGOarHSC8jvXBBSKZgt8n+CCpcI w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMBAKEn3U2rRDoG/2dsb2JhbACXZ4FkjGF4iHCefZ13hhwEhluYew
X-IronPort-AV: E=Sophos;i="4.65,267,1304294400"; d="scan'208";a="703206117"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by sj-iport-6.cisco.com with ESMTP; 25 May 2011 16:02:55 +0000
Received: from dwingWS ([10.32.240.194]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p4PG2tC0003344; Wed, 25 May 2011 16:02:55 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Ari Keranen' <ari.keranen@nomadiclab.com>
References: <F47EF2BF-FF8B-4E28-BC9D-F2258790BBE5@nomadiclab.com> <002901cc1976$d8b86420$8a292c60$@com> <FFC51B02-765C-4C46-B6D9-7E0A2452C8D5@nomadiclab.com>
In-Reply-To: <FFC51B02-765C-4C46-B6D9-7E0A2452C8D5@nomadiclab.com>
Date: Wed, 25 May 2011 09:02:55 -0700
Message-ID: <099101cc1af5$35bd2640$a13772c0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acway31Q1aVAHMKRRgy3zoIegb+6kgAKT/fA
Content-Language: en-us
Cc: 'mmusic WG' <mmusic@ietf.org>
Subject: Re: [MMUSIC] ICE TCP and TCP amplification attack (mitigation)
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2011 16:02:56 -0000

> -----Original Message-----
> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com]
> Sent: Wednesday, May 25, 2011 4:04 AM
> To: Dan Wing
> Cc: 'mmusic WG'
> Subject: Re: [MMUSIC] ICE TCP and TCP amplification attack (mitigation)
> 
> On May 23, 2011, at 9:25 PM, Dan Wing wrote:
> >> -----Original Message-----
> >> From: mmusic-bounces@ietf.org [mailto:mmusic-bounces@ietf.org] On
> >> Behalf Of Ari Keranen
> >> Sent: Thursday, May 19, 2011 7:29 AM
> >> To: mmusic WG
> >> Subject: [MMUSIC] ICE TCP and TCP amplification attack (mitigation)
> >>
> >> Hi all,
> >>
> >> Flemming identified a possible TCP amplification attack in ICE TCP:
> >>
> >> On May 10, 2011, at 5:06 AM, Flemming Andreasen wrote:
> >>> - Section 12
> >>> I believe there is a TCP amplification attack similar to the STUN
> >> amplification attack that requires consideration, since the TCP
> >> connection is established prior to any STUN/ICE checks and involves
> TCP
> >> state creation on the part of the attacked party.
> >>
> >> That is, an attacker could put in the SDP offer a set of passive
> >> reflexive candidates with the address of the victim and the answerer
> >> would make a bunch of TCP connections towards the victim.
> >
> > That attack is inherent to ICE itself, and not the fault or cause of
> > the TURN-TCP specification.  If text is added to TURN-TCP, it would
> > be nice to couch it with something like:
> >
> >  A STUN amplification attack is described in Section 18.5.2 of
> >  [RFC5245], but unfortunately that specification did not describe
> >  how [RFC5245] can also be used to launch a TCP amplification
> >  attack.
> >
> > and the describe how TURN-TCP is but one way the TCP amplification
> > could be launched.  The other way is that RFC5245 could be used
> > without TURN-TCP.
> 
> I guess this is not really problem with TURN-TCP, but rather with ICE
> TCP, whether you use TURN or not. But you're right, the basic
> amplification attack is inherent to ICE itself. TCP just makes it worse
> since the victim needs to create TCP connection state instead of just
> dropping unsolicited UDP packets. Maybe we could say something along
> the lines of:
> 
>   A STUN amplification attack is described in Section 18.5.2 of
> [RFC5245]. Same considerations apply to TCP, but the amplification
> effect with TCP is larger due to need for establishing a TCP connection
> before any checks are performed. Therefore, an ICE agent SHOULD NOT
> have more than X outstanding TCP connection attempts with the same peer
> to the same IP address.

Such a statement seems out of scope for TURN-TCP, but it's the best we can
do without updating ICE itself to mention the TCP attack, I guess.

> Regarding this attack, we could also add to the end of section 7.1
> (STUN Client Procedures) in ICE TCP something like:
> 
> [once the connection is established] if the peer's response to the
> connectivity check is something else than a STUN message, the agent
..................................^^^^
                                "other"
> MUST close the connection and consider all pairs with that remote
> candidate as failed.
> 
> (since apparently the remote candidate was not an ICE agent, but could
> be a victim of a DoS attack)

Ok.

> >> A possible mitigation, as Flemming suggested, would be to limit the
> >> number of outstanding TCP connection attempts to the same IP-
> address.
> >> That sounds reasonable to me, since having many (un-frozen)
> candidates
> >> from the same IP address seem unlikely anyway, but are there any
> other
> >> ideas?
> >
> > That sounds like a good approach.
> 
> OK, then we'd need a recommended number; how many outstanding attempts
> to the same IP address do we allow?
>
> Technically, one should be enough for all "normal" cases (right?), but
> maybe, e.g., more than one interface may in fact be behind the same CGN
> so more could be useful in some scenarios. How about 5? That should be
> enough for even more exotic cases, but yet make any DoS attack pretty
> weak.

5 sounds plenty.

> > I wonder if Errata should be raised against RFC5245, instead or in
> > addition?
> 
> Do you mean that RFC5245 should also mention the added effect of TCP?

Yes.

> Anyhow, probably also 5245(bis) could limit the number of outstanding
> checks to the same IP address even if UDP is used and consider non-STUN
> responses as a sign of invalid candidate, as discussed above.

Yes, that is also a good idea.

-d


> 
> 
> Cheers,
> Ari=