Re: [tcpm] DoS attack from misbehaving receivers
Rob Sherwood <capveg@cs.umd.edu> Thu, 11 January 2007 21:27 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H57SZ-0008TQ-Ow; Thu, 11 Jan 2007 16:27:43 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H57SY-0008TC-8a for tcpm@ietf.org; Thu, 11 Jan 2007 16:27:42 -0500
Received: from flyer.cs.umd.edu ([128.8.128.178]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H57SX-0007gG-1o for tcpm@ietf.org; Thu, 11 Jan 2007 16:27:42 -0500
Received: from loompa.cs.umd.edu (loompa.cs.umd.edu [128.8.128.63]) by flyer.cs.umd.edu (8.12.11.20060308/8.12.5) with ESMTP id l0BLRbCH006116; Thu, 11 Jan 2007 16:27:37 -0500
Received: (from capveg@localhost) by loompa.cs.umd.edu (8.12.10/8.12.5) id l0BLRXnW023894; Thu, 11 Jan 2007 16:27:33 -0500 (EST)
Date: Thu, 11 Jan 2007 16:27:32 -0500
From: Rob Sherwood <capveg@cs.umd.edu>
To: Caitlin Bestler <caitlinb@broadcom.com>
Subject: Re: [tcpm] DoS attack from misbehaving receivers
Message-ID: <20070111212732.GM2944@loompa.cs.umd.edu>
References: <20070111202843.GL2944@loompa.cs.umd.edu> <54AD0F12E08D1541B826BE97C98F99F1EE6E4E@NT-SJCA-0751.brcm.ad.broadcom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54AD0F12E08D1541B826BE97C98F99F1EE6E4E@NT-SJCA-0751.brcm.ad.broadcom.com>
User-Agent: Mutt/1.4.1i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
Cc: tcpm@ietf.org, david.malone@nuim.ie
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
> Before endorsing a counter-measure that calls for what was > previously non-compliant behavior there should be a showing > that the problem being solved is indeed severe and unique. Agreed. This is the crux of the discussion: is this attack severe enough to motivate the admittedly invasive change to the TCP stack. > If my understanding is correct, the problem is that an attacker > can simulate reception of more material than their actual local > link can support, and thereby trick a large group of senders > into saturating *their* local links and/or intermediate segments. This is mostly correct. The true concern is that *backbone* links, not just local links, will be saturated, bringing about, as the title suggests, Internet-wide congestion collapse. It is this concern that I feel motivates the need to change the specification. > But is it not correct that the same attack could be launched > from a botnet just as effectively even without faking acks? > Until typical home computers are more secure from being drafted > into a botnet is there a real benefit from this counter-measure? A botnet of sufficient size, maybe. An open question (read: subject of my current research) is how much traffic is required to overcome Internet backbone links. The reason for concern with the OptAck attack is that the amplification factors are large (~1600x and higher from the paper), which reduces the size of the botnet required to cause significant damage. For example, if a 100,000 node botnet has sufficient bandwidth to overwhelm backbone links without OptAck, then a 60 node botnet can overwhelm the network with OptAck. I believe that there is a qualitative difference between these two attacks in terms of attacker capability, i.e., it takes significantly more work to compromise 100K machines then 60. > Having transmitters engage in non-compliant behavour in order > to catch cheaters is a slippery slope best avoided. In general I agree, but I believe that the danger here is significant to warrant futher consideration. - Rob . _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] DoS attack from misbehaving receivers Stephen Hemminger
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Christian Huitema
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- Re: [tcpm] DoS attack from misbehaving receivers John Heffner
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers David Malone
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman