Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

ianswett <> Wed, 28 November 2018 21:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B95551274D0 for <>; Wed, 28 Nov 2018 13:21:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.46
X-Spam-Status: No, score=-4.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ywcGp8gurT6J for <>; Wed, 28 Nov 2018 13:21:36 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2531A124408 for <>; Wed, 28 Nov 2018 13:21:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=5h31zdRiqA7Cx9Qfb5G1AzNlkqE=; b=Y27v5uXwbKnwZLUq 5HIEq/9MTXWAKOpWLb/iqIdrs4Jdk30HeJX8jSxivCNvoZTZxPaNihvaMflzgY4I wST8kWJimuaP7JkrQs9Cj5Eq6GmJZQN//x9uFcoj0O57obJETjcfZ9/vjvt/7UF2 XbptiK0rkSN/E2pTY+5MATIvU7U=
Received: by with SMTP id filter0571p1iad2-29304-5BFF06DB-4 2018-11-28 21:21:31.141790579 +0000 UTC m=+1112066.444116094
Received: from (unknown []) by (SG) with ESMTP id ETnjYmhuSbWrsjrlLQyo7g for <>; Wed, 28 Nov 2018 21:21:31.122 +0000 (UTC)
Received: from (localhost []) by (Postfix) with ESMTP id 1C1D31E144E for <>; Wed, 28 Nov 2018 13:21:31 -0800 (PST)
Date: Wed, 28 Nov 2018 21:21:31 +0000
From: ianswett <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bff06db1a9ad_63de3fc9604d45b8190266"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ianswett
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak1pNiQIpHvrCIjUu9u80uMxjAuzDmvXJsidC0 0AqhpeC6qtqwvlYO/2/O2t1lGGziKv8j+tXC5nVQ3V8LGztuNewxF5iTwhSLEC5xDdR91A6vgaVOYF 1+JPeoWRdukm4I5MgtkdxQ0QseFSA1SMytYjaw49XMr9XB2CGAcqlsb6ag==
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Nov 2018 21:21:38 -0000

ianswett commented on this pull request.

> @@ -1637,6 +1637,9 @@ able to reuse a token.  To avoid attacks that exploit this property, a server
 can limit its use of tokens to only the information needed validate client
+Fraudulently obtained tokens could enable botnets to use servers as amplifiers
+in DDOS attacks. Servers SHOULD protect against such attacks by ensuring that
+tokens are used by clients only once.

I think this issue applies to non-fraudulently obtained tokens as well, but it's worse for the case you outlined in the description, since it's lower cost.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: