Re: Proposal: Increase QUIC Amplification Limit to 5x
Ian Swett <ianswett@google.com> Wed, 31 July 2024 16:07 UTC
Return-Path: <ianswett@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBB62C14F6A6 for <quic@ietfa.amsl.com>; Wed, 31 Jul 2024 09:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.607
X-Spam-Level:
X-Spam-Status: No, score=-17.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxCLo1pWzYnC for <quic@ietfa.amsl.com>; Wed, 31 Jul 2024 09:07:15 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101B5C169438 for <quic@ietf.org>; Wed, 31 Jul 2024 09:07:15 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id 5614622812f47-3dab336717fso3980803b6e.0 for <quic@ietf.org>; Wed, 31 Jul 2024 09:07:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1722442034; x=1723046834; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UkJ3AwBIx0kFFDrfhESybMH4gzLM8MdQQBu3Bsh6fl0=; b=dIm5NRwpcqlLxyOqG8+eHhr85Wl2mdGs/YJI+Ab3juMlE0DLBlVeLolQ04sSnsZnj+ 1E3ToxWKUAgYlGYNmtI7J09MR5kvt3z7/K98joxJ6tL/Yzs+cjuSrC5Smf/fzgamebs+ gyY6SJCtsWAkklhqNYeCMZNcN4VutlKpx9BBI8nQA/s1lutYM31QFJ3BHlmy8SMtFL4s 0MzY8K+/6H30MHYi3N8Y/jZkeS+j4XGsWJy8ekbPDx6djHAdhMaayxA3p+O+UAQaXf5K yoBkwF0wy3Qw/BkC6nr6aY2M61fA0xpIVIQ2kDsls5VkIYmO2o2fr8+27pR9OoU6p5NF ixJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722442034; x=1723046834; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UkJ3AwBIx0kFFDrfhESybMH4gzLM8MdQQBu3Bsh6fl0=; b=sUDLE9JF9Pd7zX5a3whpfXJEZyyVMTvk/1aiRUYzqdTohL3PaPzULg6/vkIs7SwyuB 0XvktHrsTxdmRFjk6RH5qlTgIXw0x0TGufbg/8Q+4hbYsfSrBKjF/3OoEGkm17sx8Nh9 IAAy/YSiHkIqSAV/s6iDR05W95JtpGMgCPz6S2k/j0kBaNZfU2WHt2lDO3IJqWdTpvEZ p3U8F8zJA9y9vNXaE7ezhPLkSOysTrnMzef4VY7NNvWfiJq03Skz9Pp2XuRg3sdGlKJR 0ozNzQ011SV2/GYoh/pou+jfyoZ6d4QH6jZ4CxyXYYP7rKbWewr4ZFP++bLa1Niptvno AAtA==
X-Forwarded-Encrypted: i=1; AJvYcCXk3ntxDXxSnrywZsXbBwK9KG25mUdFP+mU3YAhRbIgSuqtXZy+ZI/9+Q8mVUsZqInfS+P6QZVbtayVXtJ1
X-Gm-Message-State: AOJu0Yzye4LbUbBHLVeq7/2h9RvCPE8o+SJqEr4m8C2wC/H4HmSmzRtL EuvwYlo1FFtIYRN5ivhOQFBvtTLM9D3PXdBkove0FUsLWn80V4kiQrP2oxk3wAIG9JWex9G7La7 KE61skJgvGo5fF5Awv1ju4mWlS9GypzYI+oWxl282HPv76wm5Xw5X
X-Google-Smtp-Source: AGHT+IHmMNmGIB9QHazMcwFyh0HhzmflE+A0Gpjive9V1mTMfKQOFmT4C9sFv0P3vWCOHcUsOiJke3dnJ6uTqE9ftZw=
X-Received: by 2002:a05:6808:1701:b0:3d5:60fa:d717 with SMTP id 5614622812f47-3db23a61e68mr15560156b6e.41.1722442033839; Wed, 31 Jul 2024 09:07:13 -0700 (PDT)
MIME-Version: 1.0
References: <BL1PR21MB31152570F4497EBE91B3AF9FB3B02@BL1PR21MB3115.namprd21.prod.outlook.com> <4aac2fae-ddc6-453c-b974-751a7a37967c@redbarn.org> <ac725575-da13-4365-90ce-8ea55bc46e72@huitema.net>
In-Reply-To: <ac725575-da13-4365-90ce-8ea55bc46e72@huitema.net>
From: Ian Swett <ianswett@google.com>
Date: Wed, 31 Jul 2024 12:07:01 -0400
Message-ID: <CAKcm_gOCJha0ey38+L3MUEmCxdid4NoJQUVXzp=qaVM0Sh-QCg@mail.gmail.com>
Subject: Re: Proposal: Increase QUIC Amplification Limit to 5x
To: Christian Huitema <huitema@huitema.net>
Content-Type: multipart/alternative; boundary="000000000000936566061e8d495e"
Message-ID-Hash: W3XN25HRFHUBIYSXTUZ2L2L5TNRWGNFJ
X-Message-ID-Hash: W3XN25HRFHUBIYSXTUZ2L2L5TNRWGNFJ
X-MailFrom: ianswett@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-quic.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>, IETF QUIC WG <quic@ietf.org>, Nick Banks <nibanks=40microsoft.com@dmarc.ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/mf4HKkam1H-1Qo8N1rhA4dhon8A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Owner: <mailto:quic-owner@ietf.org>
List-Post: <mailto:quic@ietf.org>
List-Subscribe: <mailto:quic-join@ietf.org>
List-Unsubscribe: <mailto:quic-leave@ietf.org>
We found that once we deployed certificate compression, we could typically keep the cert under 3 packets, but without it, we typically went over. I believe one reason the QUIC WG chose 3 is because we had data to show that most certificates were small enough once compressed to enable a 1 RTT handshake. I'd be curious what your results are with and without certificate compression in your client? On Wed, Jul 31, 2024 at 11:15 AM Christian Huitema <huitema@huitema.net> wrote: > > > On 7/30/2024 5:52 PM, Paul Vixie wrote: > > Do we know a reason why the system's behavior won't move beyond the new > > limit the same way it moved beyond the old one? If it's some bizarre > > kind of leaky bucket let's have the showdown now rather than later when > > everything is larger and ossification has begun. > > The concern is that the wily hackers will send a single UDP "initial" > packet to a server, and the the server will reply with a complete flight > of packets including key exchanges, parameters and certificates. Send > 1.2KB to the server, see the server send back 5, 6 or maybe 10 packets > to the source IP of the UDP packet. With that the DDOS attack has been > "amplified" 5, 6 or maybe 10 times. > > The amplification limit is there to limit the usefulness of QUIC servers > for these DDOS attackers. The value 3 was chosen because with > "reasonable" configurations the server's first flight fits in 2 or 3 > packets, and that there are many UDP services that provide more than 3x > amplification (see > > https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks > ). > > But if we loosen the QUIC amplification limit while other services are > tightening, that situation will change. > > -- Christian Huitema > >
- Proposal: Increase QUIC Amplification Limit to 5x Nick Banks
- RE: Proposal: Increase QUIC Amplification Limit t… Nick Banks
- Re: Proposal: Increase QUIC Amplification Limit t… Matthias Waehlisch
- Re: Proposal: Increase QUIC Amplification Limit t… Paul Vixie
- Re: Proposal: Increase QUIC Amplification Limit t… Christian Huitema
- Re: Proposal: Increase QUIC Amplification Limit t… Ian Swett
- RE: Proposal: Increase QUIC Amplification Limit t… Nick Banks
- Re: Proposal: Increase QUIC Amplification Limit t… Martin Thomson
- Re: Proposal: Increase QUIC Amplification Limit t… Roberto Peon