Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

Martin Thomson <> Wed, 12 December 2018 06:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8DB83131110 for <>; Tue, 11 Dec 2018 22:25:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.056
X-Spam-Status: No, score=-8.056 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZClvb9RmSugR for <>; Tue, 11 Dec 2018 22:25:47 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D9192131106 for <>; Tue, 11 Dec 2018 22:25:46 -0800 (PST)
Date: Tue, 11 Dec 2018 22:25:45 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1544595945; bh=AtElNEchoLV49snjQ3Y6nO6qKdaHwiUblxpb+Pn2/g0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=HVvAsRPJ1yMCfmd4RJu24cgXjpMFERisiMTeizr7h1bM4ZHuV0Rd9Ti2htcoKdtTn MpcLBQXldQeb4qmS6boPbT63A/PHz23rUk0gERgdsv1MCmGvvh2kpf4kdhluRsxvtW 9QUVJE3qtQXIaqRUo2THtjYNAKUK6J+0FeUbRndI=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c10a9e979f03_79403f9978ad45c07436d9"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Dec 2018 06:25:49 -0000

How about:

> Attackers could replay tokens to use servers as amplifiers in DDoS attacks. To protect
against such attacks, servers SHOULD ensure that tokens sent in Retry packets are only accepted for a short time.  Tokens that are provided in NEW_TOKEN frames (see {{frame-new-token}}) need to be valid for longer, but SHOULD NOT be accepted multiple times in a short period.  Servers are encouraged to allow tokens to be used only once, if possible.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: