Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

Marten Seemann <> Fri, 30 November 2018 04:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2AE53127AC2 for <>; Thu, 29 Nov 2018 20:30:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pyft1tcrgmsA for <>; Thu, 29 Nov 2018 20:30:27 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D2F12126C7E for <>; Thu, 29 Nov 2018 20:30:26 -0800 (PST)
Date: Thu, 29 Nov 2018 20:30:25 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1543552225; bh=3k5LOACOzT+gSCjbZwhsEQMlVOV7cmUvU4y8Zxj1nIs=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=f+DcHa09tcOfYoAHL0d+cDsKzWVMDpMuKHh0daROMGsPN6t3IybNLKudTWFPoY44Y 6rnmtRtgDZi5TreK3hzswtYYgsvAiVumhpx1FdnBw66axB7Qcun1vG2501oDACgP/y +nqNEFZ8ggjIA5HGZP4Rjr9aeCrm531/TyIBeKTU=
From: Marten Seemann <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c00bce18fa1b_65f03fc1502d45b45962e"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Nov 2018 04:30:28 -0000

It's sufficient to be on path and observe packets sent from the client to the server to obtain a token sent in a NEW_TOKEN frame. Getting a Retry token is marginally easier, since you can observe it in both directions, but this would allow you to direct traffic to that IP address until the expiry date of the token (which might be days).

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: