Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

Marten Seemann <> Sat, 08 December 2018 02:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D48D131072 for <>; Fri, 7 Dec 2018 18:38:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nW7wpb30-BLi for <>; Fri, 7 Dec 2018 18:38:00 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E9A44130F7B for <>; Fri, 7 Dec 2018 18:37:59 -0800 (PST)
Date: Fri, 07 Dec 2018 18:37:58 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1544236678; bh=uiMRU97WCTkwl/U9eUppF4KJUB0mnAYHw9O2OyWqUAg=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=j7QdvxNY1j+YlK/aZ0fHxDF8u1z4mvmxW9BW5UJ8LXomNdwd5oAEdFq58BBsSIdBs u1jpNOrd9svFjaFXQK+era25IrXpXHD9YiSm+WWXdY32t5SvTZC7pR4hPvSDbMdNrw b/RlQ2x1g52VQPGb7Mnaeu1NS5+rS81YQf82rJaw=
From: Marten Seemann <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c0b2e868dfda_7cb93f8d946d45b4629c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Dec 2018 02:38:03 -0000

>  if I recall correctly, there was an intense discussion about 0-RTT and session ticket reuse in the TLS working group. Some forms of 0-RTT replay attacks can be prevented if session tickets are used at most once, or at least if session tickets enable 0-RTT data at most once per use. That discussion showed that at-most-once was very hard to handle in a big server farm, as it would require centralized management of state across many servers. See section 8 of RFC8446, "0-RTT and Anti-Replay" for the resulting compromise.

I think we're talking about different security properties here. QUIC tokens are designed to **only** prove reachability at a specific IP address, and don't contain any sensitive information beyond that. Token reuse is therefore only a problem **if** it can be used by an attacker to flood the client with more unwanted traffic than either the client or the network can handle at any given time.

>> I don't a short token life time works as a protection here. I expect servers to issue tokens (in NEW_TOKEN frames) that have the same life time as TLS session tickets, which, if I remember correctly, is a 7 days.
> I am not sure if that's correct. IIUC, the reason we split information that are maintained across connections to TLS session tickets and tokens was because they have different properties, including lifetime.

If I remember correctly, the reason we split those was to enable token validation without parsing of the packet contents and handing it off to the TLS stack. That being said, I think you're right that tokens might have a different life time than session tickets.
Since most (?) ISPs reassign a new IP address to the customers every 24 hours (at least that's how they typically do it in Germany), a token would become worthless after this time. I'd therefore expect a NEW_TOKEN token to be valid for around that duration.

But even if this was not the case, and the token validity was just on the order of a minute, we'd have a problem here. An attacker who captures such a token can make the server send traffic with a high amplification factor to the client for the lifetime of that token.
This might even be a problem for Retry tokens, which will only be valid for a few seconds: If the attacker can cause a high load on the path to the client, it might succeed in creating enough congestion that the packets belonging to the actual handshake are dropped.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: