Re: Entropy in headers for connection identification at a stateful firewall

Töma Gavrichenkov <> Tue, 06 November 2018 09:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B7AD6130DDF for <>; Tue, 6 Nov 2018 01:22:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lvoKuGEbktew for <>; Tue, 6 Nov 2018 01:22:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::c2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CC29D130DC5 for <>; Tue, 6 Nov 2018 01:22:40 -0800 (PST)
Received: by with SMTP id l66-v6so4468119ywl.7 for <>; Tue, 06 Nov 2018 01:22:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Lm7pyo61bsTZgPsQrgdFLnadeTjd6BSgJsnGzltJGsA=; b=jl7FEj9x75WsWVWPoLBOgDSVVY+alZNlQKYxoGi18KRIo6CIqxKHy75hvDlu4adhez 7tctkkssrREHdrOd1gq/VZwFtWMBohrOqoqqr9CbeoLuehgw3a85d8Pj/VSp0tzRtCEb pVzdOa7H+8UNZOx+3FpauH/F6mmt81y9jxraGUAQhIpETE+72tNZwxrVXQ3JFjX19m+v Q/DqVbE5aJ8omCtS3m4VkDLq7zBHCbW8MfAyIvkrzhnOcMVxo1cuEVk30Wf/IKmi71uh RPN0FDWc2SqQxhVZgU+oAdJ5h4Q5R02DtSnsMPFtQ1GkpJ0/exdlFSLN//GQROsIZxPP e9oQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Lm7pyo61bsTZgPsQrgdFLnadeTjd6BSgJsnGzltJGsA=; b=DKQKE5gjEtGINfgj6rKEVy3BO0tEMlAdIYQ1vQGmijhSzUC2OxJCxtS9wJC8/cSHrb 69/1OpGwLQReuU9oPrehnaW99dz1oghdkI4RiMw/cp1DQKRMMxRcRjZCEV04pd+i0KuQ ivhCqxxzPQSeuM6x57tx9U5j14xZcFvTiAWOLGsuvWR0rBH3F1bqqSO/8aDZFMAgi3w0 EnAVjA4mvm5/r2BomImjVbLar5VuapZn5cT5VH4kBrot9vYtP/+2AZS7Ohh1FbUt2pP5 yVl3oBbQpbckJXMG1RNdaSmKZ1LsHqXFM40YbWySggMogiOJAy8YRKCvkmT5OcajE8kE bE5A==
X-Gm-Message-State: AGRZ1gLoYQnZ8Vhys9ytsIO3qTgw9NwhbgZ8AovR09HKnfxrtKbL2Ilw jrpPur4Nz4P/oV0hIoQLo7QAecaHnYFa/o/Yc+o=
X-Google-Smtp-Source: AJdET5dze1FlAmvnHA38CEOum7tsanb4K+TTIgRvzZrLsSzDCYK/ml78eyaM5quDCAZEY8icVszGoKlemGdnQz3clzI=
X-Received: by 2002:a81:af5a:: with SMTP id x26-v6mr24691250ywj.281.1541496159680; Tue, 06 Nov 2018 01:22:39 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <>
Date: Tue, 6 Nov 2018 16:22:27 +0700
Message-ID: <>
Subject: Re: Entropy in headers for connection identification at a stateful firewall
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Nov 2018 09:22:43 -0000

Hi Mikkel,

Thank you for your input,

> If a middlebox experience excessive load on some 5-tuples or connection ID’s it can issue a RETRY on new connections. If a client gives up a connection due to timeouts etc. it might try to create a new connection. This new connection might land on the same problematic middlebox. This middlebox then issues a RETRY that informs the client to try to connect to another server which hopefully lands it a on path that is not subject to attack. A RETRY only has one level, so if the new location is also under attack, the client must abort the connection attempt altogether and start over from scratch. It might then get lucky for example by choosing a random IP from a DNS record.

Well, like I said, there wouldn't be any problem with the middlebox,
it would be able to handle virtually any possible load. It's the
client who wouldn't.

RETRYing on connection is something I also thought of, but in case of
latency- and jitter-specific applications (AV streaming, gaming, etc.)
a constant connection retry could actually be an attacker's purpose.

As a side note, usually we don't have any control on either the client
or, especially, the server. We don't know if it deploys one IP address
to DNS or more. In theory, a solution might be to set up a proxy on
the path, but in reality it's too complicated and, ironically, would
severily harm the user's privacy.