IETF Logo Mail Archive

Re: [sidr] Another potential DOS attack on RP software?

Jared Mauch <jared@puck.nether.net> Thu, 23 January 2014 13:39 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425F41A0433 for <sidr@ietfa.amsl.com>; Thu, 23 Jan 2014 05:39:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Level:
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xyLLpcaLD-0 for <sidr@ietfa.amsl.com>; Thu, 23 Jan 2014 05:39:03 -0800 (PST)
Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) by ietfa.amsl.com (Postfix) with ESMTP id 1374B1A0114 for <sidr@ietf.org>; Thu, 23 Jan 2014 05:39:03 -0800 (PST)
Received: from [10.0.0.137] (173-167-0-106-michigan.hfc.comcastbusiness.net [173.167.0.106]) (authenticated bits=0) by puck.nether.net (8.14.7/8.14.5) with ESMTP id s0NDcxxM001640 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 23 Jan 2014 08:39:00 -0500
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
Content-Type: text/plain; charset="us-ascii"
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <52E10F1A.8030800@smail.inf.h-brs.de>
Date: Thu, 23 Jan 2014 08:38:58 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <A37A0209-6DC1-403C-B511-629DBB795DD2@puck.nether.net>
References: <CF03F5F3.5FD30%keyupate@cisco.com> <52E10F1A.8030800@smail.inf.h-brs.de>
To: Demian Rosenkranz <drosen2s@smail.inf.h-brs.de>
X-Mailer: Apple Mail (2.1827)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.7 (puck.nether.net [204.42.254.5]); Thu, 23 Jan 2014 08:39:01 -0500 (EST)
Cc: sidr@ietf.org
Subject: Re: [sidr] Another potential DOS attack on RP software?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 13:39:04 -0000

On Jan 23, 2014, at 7:46 AM, Demian Rosenkranz <drosen2s@smail.inf.h-brs.de> wrote:

> Hi,
> 
> I'm thinking about another potential DoS attack. An entity which owns a CA certificate has the possibility to generate a huge hierarchy of further CA certificates without any limitation (as far as I know).
> 
> In contrast to the generation of a huge amount of ROAs, this attack isn't limited regarding the number of objects/certificates.
> 
> I.e. a compromised/bad entity owns a /16 prefix and generates 10000 CA certificates and hand down this prefix until the lowest CA certificate and generates 2^8 ROAs, a relying party software would be forced to check this hierarchy 2^8 times.
> Of course, this is kind of a blunt attack but without making any provisions, this "local cache flooding" could lead to a disturbance of all (worst case) local caches for a certain time. Some smaller RP could be slower in remedying this.
> 
> Are there any restriction to this attack I've missed? Any feedback is very welcome!

We certainly see this scale of prefix registration within the IRR dataset.  (Folks registering each variant of the entire covering prefix of a /16 for example).

I imagine the same would be done with the same rationale by someone well intentioned.

- Jared

v2.23.0 | Report a Bug | By Email