Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
MikkelFJ <notifications@github.com> Fri, 30 November 2018 20:53 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1280E130FF9 for <quic-issues@ietfa.amsl.com>; Fri, 30 Nov 2018 12:53:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Level:
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwjQ0c0NNNzE for <quic-issues@ietfa.amsl.com>; Fri, 30 Nov 2018 12:53:15 -0800 (PST)
Received: from out-7.smtp.github.com (out-7.smtp.github.com [192.30.252.198]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89409130E8F for <quic-issues@ietf.org>; Fri, 30 Nov 2018 12:53:15 -0800 (PST)
Date: Fri, 30 Nov 2018 12:53:14 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1543611194; bh=zooDgPF1ddz4+siqdatLlvzfHSnn/dkzxlTlieSPV/c=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ksew5tsX/g/ExezWk6qZCMVFG/hzuiQL6oorG5AcCvdWRypsgLPct6EwnLSPIZgfo 8UJ1pIxiN0Qksz6hCz9UVw2vxj1YXyQo9vKwY30bpBGMoie2oqSJ63UAcEM0sKzObY Z5CtmYBpxGI9ccL+kiJRSaN+nYvNUg2jYfKRzweY=
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abb8d55fac620cf36f70880c854a5799755059b45e92cf000000011819653a92a169ce16f92d74@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2064/c443336030@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2064@github.com>
References: <quicwg/base-drafts/pull/2064@github.com>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c01a33a9f738_cca3fbbbccd45bc22065d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/CT5VE50jCcg_6RCtWMYpHigUgFs>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 20:53:17 -0000
OK, maybe I need to read up on things. But I had this idea that the if you have the token, it is because you received it, so sending it back proves that you have the IP. But if you can steal the token and spoof your source IP to some DDoS target the server will then attempt handshake with the target because it thinks the address has been validated. My suggestion was to ensure that the token cryptographically encodes the IP so the attacker cannot force a handshake with anyone other than the client that it stole the token from. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/2064#issuecomment-443336030
- [quicwg/base-drafts] Amplification attack using r… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… Martin Thomson
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… Martin Thomson
- Re: [quicwg/base-drafts] Amplification attack usi… ianswett
- Re: [quicwg/base-drafts] Amplification attack usi… ianswett
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… janaiyengar
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… janaiyengar
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… Marten Seemann
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… MikkelFJ
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… MikkelFJ
- Re: [quicwg/base-drafts] Amplification attack usi… MikkelFJ
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… MikkelFJ
- Re: [quicwg/base-drafts] Amplification attack usi… MikkelFJ
- Re: [quicwg/base-drafts] Amplification attack usi… janaiyengar
- Re: [quicwg/base-drafts] Amplification attack usi… MikkelFJ
- Re: [quicwg/base-drafts] Amplification attack usi… Marten Seemann
- Re: [quicwg/base-drafts] Amplification attack usi… Kazuho Oku
- Re: [quicwg/base-drafts] Amplification attack usi… ianswett
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… ianswett
- Re: [quicwg/base-drafts] Amplification attack usi… Marten Seemann
- Re: [quicwg/base-drafts] Amplification attack usi… Martin Thomson
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema
- Re: [quicwg/base-drafts] Amplification attack usi… MikkelFJ
- Re: [quicwg/base-drafts] Amplification attack usi… Dmitri Tikhonov
- Re: [quicwg/base-drafts] Amplification attack usi… Martin Thomson
- Re: [quicwg/base-drafts] Amplification attack usi… janaiyengar
- Re: [quicwg/base-drafts] Amplification attack usi… janaiyengar
- Re: [quicwg/base-drafts] Amplification attack usi… ianswett
- Re: [quicwg/base-drafts] Amplification attack usi… Kazuho Oku
- Re: [quicwg/base-drafts] Amplification attack usi… Martin Thomson
- Re: [quicwg/base-drafts] Amplification attack usi… MikkelFJ
- Re: [quicwg/base-drafts] Amplification attack usi… Christian Huitema