Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

ianswett <> Wed, 28 November 2018 21:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7F3B3130DE1 for <>; Wed, 28 Nov 2018 13:19:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qgiD1QOS_CZv for <>; Wed, 28 Nov 2018 13:19:44 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B98B01274D0 for <>; Wed, 28 Nov 2018 13:19:44 -0800 (PST)
Date: Wed, 28 Nov 2018 13:19:43 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1543439984; bh=ciAd7BY931GGfVtekhaaG6WMKt/BsogkF5q4bkd8szQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=DAw7tC697Mm3aJes14BHrXg6OYhdfYh3wx9ZX0aLHJUjDsyuKkPHZUBdb6ZUTcshs G6xdYlrhvGtT6njT4is7pwj5iRMPyXRk83y8qdO2vy3dn1ZGvzMBAgDnHqy4RvMikr BJV92WTgvj56xSNhdGAzSe2jlKCsdoLWjBbVvcMs=
From: ianswett <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bff066fe7004_7b993fd5da0d45b81557e3"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ianswett
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Nov 2018 21:19:46 -0000

ianswett commented on this pull request.

> @@ -1637,6 +1637,9 @@ able to reuse a token.  To avoid attacks that exploit this property, a server
 can limit its use of tokens to only the information needed validate client
+Fraudulently obtained tokens could enable botnets to use servers as amplifiers

Fraudulently obtained tokens could enable attackers to use servers as amplifiers

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: