IETF Logo Mail Archive

RE: [tcpm] New I-D posted : draft-moncaster-tcpm-rcv-cheat-00

"Caitlin Bestler" <caitlinb@broadcom.com> Wed, 21 February 2007 19:16 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HJwxD-0003h2-LR; Wed, 21 Feb 2007 14:16:39 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HJwxB-0003gI-7l for tcpm@ietf.org; Wed, 21 Feb 2007 14:16:37 -0500
Received: from mms3.broadcom.com ([216.31.210.19]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HJwx9-0008UQ-QI for tcpm@ietf.org; Wed, 21 Feb 2007 14:16:37 -0500
Received: from 10.10.64.154 by MMS3.broadcom.com with ESMTP (Broadcom SMTP Relay (Email Firewall v6.3.0)); Wed, 21 Feb 2007 11:16:21 -0800
X-Server-Uuid: 9206F490-5C8F-4575-BE70-2AAA8A3D4853
Received: by mail-irva-10.broadcom.com (Postfix, from userid 47) id 0D13D2AF; Wed, 21 Feb 2007 11:16:21 -0800 (PST)
Received: from mail-irva-8.broadcom.com (mail-irva-8 [10.10.64.221]) by mail-irva-10.broadcom.com (Postfix) with ESMTP id ED2122AE; Wed, 21 Feb 2007 11:16:20 -0800 (PST)
Received: from mail-sj1-12.sj.broadcom.com (mail-sj1-12.sj.broadcom.com [10.16.128.215]) by mail-irva-8.broadcom.com (MOS 3.7.5a-GA) with ESMTP id EYP93575; Wed, 21 Feb 2007 11:16:16 -0800 (PST)
Received: from NT-SJCA-0751.brcm.ad.broadcom.com (nt-sjca-0751 [10.16.192.221]) by mail-sj1-12.sj.broadcom.com (Postfix) with ESMTP id 2578720502; Wed, 21 Feb 2007 11:16:16 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: [tcpm] New I-D posted : draft-moncaster-tcpm-rcv-cheat-00
Date: Wed, 21 Feb 2007 11:16:14 -0800
Message-ID: <54AD0F12E08D1541B826BE97C98F99F101193858@NT-SJCA-0751.brcm.ad.broadcom.com>
In-Reply-To: <BAB4DC0CD5148948A86BD047A85CE2A7022D8F94@E03MVZ4-UKDY.domain1.systemhost.net>
Thread-Topic: [tcpm] New I-D posted : draft-moncaster-tcpm-rcv-cheat-00
Thread-Index: AcdUM1p48JkJlkW1QDC5NeLHuwq6tgAABe+wADfFPnAANXgAgA==
From: Caitlin Bestler <caitlinb@broadcom.com>
To: toby.moncaster@bt.com, tcpm@ietf.org
X-WSS-ID: 69C2450F3Y826066982-01-01
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.6 (/)
X-Scan-Signature: 2086112c730e13d5955355df27e3074b
Cc:
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

I am very skeptical that there is a transport layer problem here,
as opposed to an application layer problem.

Basically, I do not accept the following premise:

	A large server relies on honest network congestion feedback to
	efficiently apportion its own resources between receivers. If
	such a large server devotes an excessive fraction of its own
	resources to misbehaving receivers, it may well hit its own
	resource limits and have to starve other half-connections even
	if their network path has spare capacity.

I would rather contend:

	A large server does not rely on network congestion feedback
alone
	to efficiently apportion its own resources between receivers. If
	such a large receiver devotes an excessive fraction of its own
	resources to any receiver (whether misbehaving, malicious or 
	merely greedy) it may well hit its own resource limits and
	have to starve other half-connections even if their network
	path has spare capacity.

A server application that is willing to transmit multi-megabit flows
to an anonymous client based solely on the alleged receive capacity
of the receiver is so gullible it almost qualifies as a "willing
accomplice".

My understanding of this problem assumes the following:

	DoS attacks that seek to cause a server to send very large
streams,
	and thereby cause local congestion at the server end, require
establishing
	actual connections. Therefore the source of the attack is
traceable.
	An attacker is unlikely to use their own machine for a traceable
attack.
	Therefore these attacks would be launched from compromised
machines, from
	a botnet.

	A compromised machine can already be used to "honestly" receive
a stream
	at the compromised machine's capacity rate. The installed
malware can
	simply throw the traffic away with very low CPU overhead. If
clever, it
	can limit the rate to a fraction of the local bandwidth to avoid
arousing
	suspicion of the machine's legitimate owner.

	Therefore the proposed test is intended as a countermeasure
against attackers
	seeking to use optimistic acking to get a multiplier effect. By
committing
	virtually all of the local machines receive bandwidth it can get
the server
	to commit several times that on the server's local network.

	The fake receiver will ack packets that are actually reeived as
though all
	prior packets had been received. An optimal attacker would
probably simulate
	a long NAPI poll cycle of 100 HZ and ack the highest TCP
sequence received
	ignoring all gaps. It would thereby simulate the behavior of an
honest
	receiver that consolidated ACKs on a 100 HZ collection cycle.

An important constraint is that the attacker wants to generate no fewer
acks than
an honest receiver actually receiving the packets would have. The
greatest ACK to
receive ratio that I can think of, this is also legitimate, occurs when
an honest
receiver generates a single ACK for all traffic received in a collection
period.

A receiver that is generating ACKs less frequently than every other sent
packet
or 100HZ AND is claiming that the connection is experiencing no
congestion is
inherently suspicious. Even if it manages to be RFC compliant, the
sender is
under no obligation to continue sending traffic to this client at higher
and
higher rates.

This is especially true since even with the proposed test, an attacker
can 
always recruit compromised attackers to act as a bit bucket drain at
typical
home broadband rates. Since the goal of optimistic acking is to get a
multiplier
effect, the rates in question would be several times higher than typical
home
broadband capacities.

So wouldn't having the application layer merely cap individual flows to
anonymous
clients be just as effective a counter-measure as fiddling with TCP?

And wouldn't it be less harmful?

The proposed test *is* harmful. It artifically increases the amount of
packet
re-ordering in the network. Receivers may already have engineered
resources
to provide resilient responses to re-ordered packets. Artificially
caused
packet reordering as a routine test eats away at those safety margins.
And
the duplicate acks generated ARE excess traffic.

As an *administrative* test done when a flow already appears suspicious
there would be no real problem. But as a routine test to determine when
a flow is suspicious there is an inherent problem. Either the test is
performed too seldom to be effective, or it is performed frequently
enough to have a measurable impact on the performance of at least
some receivers.




_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email