RE: [tcpm] DoS attack from misbehaving receivers
"Caitlin Bestler" <caitlinb@broadcom.com> Thu, 11 January 2007 20:59 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H571L-0000Oq-Kf; Thu, 11 Jan 2007 15:59:35 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H571K-0000Ob-Bo for tcpm@ietf.org; Thu, 11 Jan 2007 15:59:34 -0500
Received: from mms1.broadcom.com ([216.31.210.17]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H571E-0001tx-8T for tcpm@ietf.org; Thu, 11 Jan 2007 15:59:34 -0500
Received: from 10.10.64.154 by mms1.broadcom.com with ESMTP (Broadcom SMTP Relay (Email Firewall v6.3.0)); Thu, 11 Jan 2007 12:59:12 -0800
X-Server-Uuid: D7CB97D3-6392-476F-BE46-AB3D6F515C9A
Received: by mail-irva-10.broadcom.com (Postfix, from userid 47) id A0E022AF; Thu, 11 Jan 2007 12:59:12 -0800 (PST)
Received: from mail-irva-8.broadcom.com (mail-irva-8 [10.10.64.221]) by mail-irva-10.broadcom.com (Postfix) with ESMTP id 7C5DF2AE; Thu, 11 Jan 2007 12:59:12 -0800 (PST)
Received: from mail-sj1-12.sj.broadcom.com (mail-sj1-12.sj.broadcom.com [10.16.128.215]) by mail-irva-8.broadcom.com (MOS 3.7.5a-GA) with ESMTP id ETE74774; Thu, 11 Jan 2007 12:59:11 -0800 (PST)
Received: from NT-SJCA-0751.brcm.ad.broadcom.com (nt-sjca-0751 [10.16.192.221]) by mail-sj1-12.sj.broadcom.com (Postfix) with ESMTP id 2BBC620501; Thu, 11 Jan 2007 12:59:11 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: [tcpm] DoS attack from misbehaving receivers
Date: Thu, 11 Jan 2007 12:59:10 -0800
Message-ID: <54AD0F12E08D1541B826BE97C98F99F1EE6E4E@NT-SJCA-0751.brcm.ad.broadcom.com>
In-Reply-To: <20070111202843.GL2944@loompa.cs.umd.edu>
Thread-Topic: [tcpm] DoS attack from misbehaving receivers
Thread-Index: Acc1vyb1fHEnyjCSTvqGmKsYeUMr2gAAsW6Q
From: Caitlin Bestler <caitlinb@broadcom.com>
To: Rob Sherwood <capveg@cs.umd.edu>
X-WSS-ID: 69B87AAA3EK19030157-01-01
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: david.malone@nuim.ie, tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
Rob Sherwood wrote: > I guess I should probably jump in here somewhere :-) > > On Thu, Jan 11, 2007 at 12:00:59PM -0800, Caitlin Bestler wrote: >> The proposed test for a non-compliant receiver would seem to require >> that the sender be non-compliant itself. > > I'm not sure I understand this comment. Part of the utility > of the solution is that unmodified receivers can communicate > with senders that randomly skip segments, because segment > reordering and dropping is already handled by TCP. > Having the sender skip segments will indeed detect a non-compliant receiver that acks segments that were never sent. But sending non-contiguous TCP segments is itself not compliant. > >> For many of the applications cited, wouldn't a more general solution >> be to apply connection-specific rate limiters at the sender (in the >> stack or at the application layer)? > > As mentioned in the paper, rate limiting does not prevent the attack. > The attack is for many servers to send a small amount of TCP > unfriendly traffic into the network, which results in > significant traffic in aggregate. Reducing the rate of > traffic at any one server only causes the attacker to target > more servers. > You can generate a large amount of traffic simply sending small requests that generate large responses and then bit-bucketing the results. If you are doing so from a botnet you can even actually receive all of the segments in the distributed clients before dropping the segments. Before endorsing a counter-measure that calls for what was previously non-compliant behavior there should be a showing that the problem being solved is indeed severe and unique. If my understanding is correct, the problem is that an attacker can simulate reception of more material than their actual local link can support, and thereby trick a large group of senders into saturating *their* local links and/or intermediate segments. But is it not correct that the same attack could be launched from a botnet just as effectively even without faking acks? Until typical home computers are more secure from being drafted into a botnet is there a real benefit from this counter-measure? Having transmitters engage in non-compliant behavour in order to catch cheaters is a slippery slope best avoided. _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] DoS attack from misbehaving receivers Stephen Hemminger
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Christian Huitema
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- Re: [tcpm] DoS attack from misbehaving receivers John Heffner
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers David Malone
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman