IETF Logo Mail Archive

Re: [rtcweb] Strawman for how to prevent voice-hammer without ICE

Harald Alvestrand <harald@alvestrand.no> Thu, 28 July 2011 20:49 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCEB921F8AEE for <rtcweb@ietfa.amsl.com>; Thu, 28 Jul 2011 13:49:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avu63rAUNEY1 for <rtcweb@ietfa.amsl.com>; Thu, 28 Jul 2011 13:49:49 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id D695F21F8AC9 for <rtcweb@ietf.org>; Thu, 28 Jul 2011 13:49:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 1141E39E173 for <rtcweb@ietf.org>; Thu, 28 Jul 2011 22:48:40 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XxGWMVIHuFmp for <rtcweb@ietf.org>; Thu, 28 Jul 2011 22:48:39 +0200 (CEST)
Received: from [130.129.103.155] (dhcp-679b.meeting.ietf.org [130.129.103.155]) by eikenes.alvestrand.no (Postfix) with ESMTPS id E28E139E13B for <rtcweb@ietf.org>; Thu, 28 Jul 2011 22:48:38 +0200 (CEST)
Message-ID: <4E31CB69.7020006@alvestrand.no>
Date: Thu, 28 Jul 2011 16:49:45 -0400
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <B6527F21-4DE2-46B1-AE2E-891D56461313@acmepacket.com>
In-Reply-To: <B6527F21-4DE2-46B1-AE2E-891D56461313@acmepacket.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] Strawman for how to prevent voice-hammer without ICE
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2011 20:49:49 -0000

On 07/28/11 03:52, Hadriel Kaplan wrote:
> Howdy,
> With regard to mandating ICE, such that an RTCWEB browser cannot send RTP without doing ICE successfully first... is that restriction purely to prevent the voice-hammer attacks?  If so, then it's unfortunate because obviously it would seriously reduce interop with non-RTCWEB VoIP devices.  But I think there's a way to prevent the hammer attack without using ICE, and without requiring legacy VoIP devices to change whatsoever.
>
> One way would be to use the receipt of RTP as an indicator the far-end expects to receive it from you.  So have the browser generate RTP/RTCP packets, at a relatively slow rate, for a short duration (e.g., use the same rate/retransmit timers of STUN connectivity checks in ICE).  If the browser receives RTP/RTCP packets, then the far-end expected to receive them as well and the browser can do normal RTP from then on.
>
> If this was a hammer attack, this doesn't generate any more load on the target than ICE, since ICE would have sent X number of STUN packets for Y time as well, and I'm suggesting the X and Y be the same values for the initial RTP packets during the "check" phase.
>
> The major weakness of this approach is that a malicious web-server trying to get your browser to do the voice hammer could send RTP to your browser, since it knows the address/ports of both sides, codec payload types, etc. (i.e., it can spoof being the attack target to make your browser think it's ok to do normal RTP)  But we could probably play games with RTCP SR/RR or even just require continued RTP receipt to send RTP, in order to mitigate this weakness or make it of low value to exploit.
I think this approach is not paranoid enough.

The attacker will negotiate a channel claiming that you can reach him on 
10.0.0.2 (your server that he wants to voice-hammer), and then send you 
the five or so RTP packets you expect with a fake source address of 
10.0.0.2.

Then you, having seen exactly the packets that "authorize" sending 
traffic to 10.0.0.2, will be performing the voice-hammer attack against 
the server that the attacker otherwise couldn't reach.

You would have to send RTP packets yourself (which will correctly be 
dropped on the floor by 10.0.0.2) until the time at which you can start 
wondering about there being no RTCP packets from 10.0.0.2 in order to 
have a 2-way handshake - and that only works if the RTCP RR contains 
enough stuff the attacker can't predict that he can't just generate the 
RTCP too.

(This doesn't work with ICE, because the ICE handshake involves the 
recipient replying to your packet with some parameters that can only be 
found in the request, not in the negotiation).
> Does anyone else care about interop-ing with legacy non-RTCWEB voip devices?  I checked draft-ietf-rtcweb-use-cases-and-requirements-01 and I don't see it, so I'm not sure.
>
> -hadriel
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>

v2.39.1 | Report a Bug | By Email | System Status