RE: [tcpm] New I-D posted : draft-moncaster-tcpm-rcv-cheat-00
"Caitlin Bestler" <caitlinb@broadcom.com> Wed, 21 February 2007 19:16 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HJwxD-0003h2-LR; Wed, 21 Feb 2007 14:16:39 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HJwxB-0003gI-7l for tcpm@ietf.org; Wed, 21 Feb 2007 14:16:37 -0500
Received: from mms3.broadcom.com ([216.31.210.19]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HJwx9-0008UQ-QI for tcpm@ietf.org; Wed, 21 Feb 2007 14:16:37 -0500
Received: from 10.10.64.154 by MMS3.broadcom.com with ESMTP (Broadcom SMTP Relay (Email Firewall v6.3.0)); Wed, 21 Feb 2007 11:16:21 -0800
X-Server-Uuid: 9206F490-5C8F-4575-BE70-2AAA8A3D4853
Received: by mail-irva-10.broadcom.com (Postfix, from userid 47) id 0D13D2AF; Wed, 21 Feb 2007 11:16:21 -0800 (PST)
Received: from mail-irva-8.broadcom.com (mail-irva-8 [10.10.64.221]) by mail-irva-10.broadcom.com (Postfix) with ESMTP id ED2122AE; Wed, 21 Feb 2007 11:16:20 -0800 (PST)
Received: from mail-sj1-12.sj.broadcom.com (mail-sj1-12.sj.broadcom.com [10.16.128.215]) by mail-irva-8.broadcom.com (MOS 3.7.5a-GA) with ESMTP id EYP93575; Wed, 21 Feb 2007 11:16:16 -0800 (PST)
Received: from NT-SJCA-0751.brcm.ad.broadcom.com (nt-sjca-0751 [10.16.192.221]) by mail-sj1-12.sj.broadcom.com (Postfix) with ESMTP id 2578720502; Wed, 21 Feb 2007 11:16:16 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: [tcpm] New I-D posted : draft-moncaster-tcpm-rcv-cheat-00
Date: Wed, 21 Feb 2007 11:16:14 -0800
Message-ID: <54AD0F12E08D1541B826BE97C98F99F101193858@NT-SJCA-0751.brcm.ad.broadcom.com>
In-Reply-To: <BAB4DC0CD5148948A86BD047A85CE2A7022D8F94@E03MVZ4-UKDY.domain1.systemhost.net>
Thread-Topic: [tcpm] New I-D posted : draft-moncaster-tcpm-rcv-cheat-00
Thread-Index: AcdUM1p48JkJlkW1QDC5NeLHuwq6tgAABe+wADfFPnAANXgAgA==
From: Caitlin Bestler <caitlinb@broadcom.com>
To: toby.moncaster@bt.com, tcpm@ietf.org
X-WSS-ID: 69C2450F3Y826066982-01-01
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.6 (/)
X-Scan-Signature: 2086112c730e13d5955355df27e3074b
Cc:
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
I am very skeptical that there is a transport layer problem here, as opposed to an application layer problem. Basically, I do not accept the following premise: A large server relies on honest network congestion feedback to efficiently apportion its own resources between receivers. If such a large server devotes an excessive fraction of its own resources to misbehaving receivers, it may well hit its own resource limits and have to starve other half-connections even if their network path has spare capacity. I would rather contend: A large server does not rely on network congestion feedback alone to efficiently apportion its own resources between receivers. If such a large receiver devotes an excessive fraction of its own resources to any receiver (whether misbehaving, malicious or merely greedy) it may well hit its own resource limits and have to starve other half-connections even if their network path has spare capacity. A server application that is willing to transmit multi-megabit flows to an anonymous client based solely on the alleged receive capacity of the receiver is so gullible it almost qualifies as a "willing accomplice". My understanding of this problem assumes the following: DoS attacks that seek to cause a server to send very large streams, and thereby cause local congestion at the server end, require establishing actual connections. Therefore the source of the attack is traceable. An attacker is unlikely to use their own machine for a traceable attack. Therefore these attacks would be launched from compromised machines, from a botnet. A compromised machine can already be used to "honestly" receive a stream at the compromised machine's capacity rate. The installed malware can simply throw the traffic away with very low CPU overhead. If clever, it can limit the rate to a fraction of the local bandwidth to avoid arousing suspicion of the machine's legitimate owner. Therefore the proposed test is intended as a countermeasure against attackers seeking to use optimistic acking to get a multiplier effect. By committing virtually all of the local machines receive bandwidth it can get the server to commit several times that on the server's local network. The fake receiver will ack packets that are actually reeived as though all prior packets had been received. An optimal attacker would probably simulate a long NAPI poll cycle of 100 HZ and ack the highest TCP sequence received ignoring all gaps. It would thereby simulate the behavior of an honest receiver that consolidated ACKs on a 100 HZ collection cycle. An important constraint is that the attacker wants to generate no fewer acks than an honest receiver actually receiving the packets would have. The greatest ACK to receive ratio that I can think of, this is also legitimate, occurs when an honest receiver generates a single ACK for all traffic received in a collection period. A receiver that is generating ACKs less frequently than every other sent packet or 100HZ AND is claiming that the connection is experiencing no congestion is inherently suspicious. Even if it manages to be RFC compliant, the sender is under no obligation to continue sending traffic to this client at higher and higher rates. This is especially true since even with the proposed test, an attacker can always recruit compromised attackers to act as a bit bucket drain at typical home broadband rates. Since the goal of optimistic acking is to get a multiplier effect, the rates in question would be several times higher than typical home broadband capacities. So wouldn't having the application layer merely cap individual flows to anonymous clients be just as effective a counter-measure as fiddling with TCP? And wouldn't it be less harmful? The proposed test *is* harmful. It artifically increases the amount of packet re-ordering in the network. Receivers may already have engineered resources to provide resilient responses to re-ordered packets. Artificially caused packet reordering as a routine test eats away at those safety margins. And the duplicate acks generated ARE excess traffic. As an *administrative* test done when a flow already appears suspicious there would be no real problem. But as a routine test to determine when a flow is suspicious there is an inherent problem. Either the test is performed too seldom to be effective, or it is performed frequently enough to have a measurable impact on the performance of at least some receivers. _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] New I-D posted : draft-moncaster-tcpm-rcv-… toby.moncaster
- Re: [tcpm] New I-D posted : draft-moncaster-tcpm-… Rob Sherwood
- Re: [tcpm] New I-D posted : draft-moncaster-tcpm-… Michael Welzl
- Re: [tcpm] New I-D posted : draft-moncaster-tcpm-… Gavin McCullagh
- RE: [tcpm] New I-D posted : draft-moncaster-tcpm-… toby.moncaster
- RE: [tcpm] New I-D posted : draft-moncaster-tcpm-… toby.moncaster
- RE: [tcpm] New I-D posted : draft-moncaster-tcpm-… Michael Welzl
- RE: [tcpm] New I-D posted : draft-moncaster-tcpm-… Anantha Ramaiah (ananth)
- Re: [tcpm] New I-D posted : draft-moncaster-tcpm-… Rob Sherwood
- RE: [tcpm] New I-D posted : draft-moncaster-tcpm-… Caitlin Bestler
- Re: [tcpm] New I-D posted : draft-moncaster-tcpm-… Rob Sherwood
- Re: [tcpm] New I-D posted : draft-moncaster-tcpm-… John Heffner
- RE: [tcpm] New I-D posted : draft-moncaster-tcpm-… Anantha Ramaiah (ananth)
- RE: [tcpm] New I-D posted : draft-moncaster-tcpm-… Michael Welzl
- RE: [tcpm] New I-D posted : draft-moncaster-tcpm-… toby.moncaster
- Re: [tcpm] New I-D posted : draft-moncaster-tcpm-… John Heffner
- AW: [tcpm] New I-D posted : draft-moncaster-tcpm-… Michael Welzl
- Re: [tcpm] New I-D posted : draft-moncaster-tcpm-… Gorry Fairhurst