Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

MikkelFJ <> Fri, 30 November 2018 20:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1280E130FF9 for <>; Fri, 30 Nov 2018 12:53:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rwjQ0c0NNNzE for <>; Fri, 30 Nov 2018 12:53:15 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 89409130E8F for <>; Fri, 30 Nov 2018 12:53:15 -0800 (PST)
Date: Fri, 30 Nov 2018 12:53:14 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1543611194; bh=zooDgPF1ddz4+siqdatLlvzfHSnn/dkzxlTlieSPV/c=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ksew5tsX/g/ExezWk6qZCMVFG/hzuiQL6oorG5AcCvdWRypsgLPct6EwnLSPIZgfo 8UJ1pIxiN0Qksz6hCz9UVw2vxj1YXyQo9vKwY30bpBGMoie2oqSJ63UAcEM0sKzObY Z5CtmYBpxGI9ccL+kiJRSaN+nYvNUg2jYfKRzweY=
From: MikkelFJ <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c01a33a9f738_cca3fbbbccd45bc22065d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Nov 2018 20:53:17 -0000

OK, maybe I need to read up on things. But I had this idea that the if you have the token, it is because you received it, so sending it back proves that you have the IP.

But if you can steal the token and spoof your source IP to some DDoS target the server will then attempt handshake with the target because it thinks the address has been validated.

My suggestion was to ensure that the token cryptographically encodes the IP so the attacker cannot force a handshake with anyone other than the client that it stole the token from.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: