IETF Logo Mail Archive

RE: [tcpm] DoS attack from misbehaving receivers

"Caitlin Bestler" <caitlinb@broadcom.com> Thu, 11 January 2007 20:59 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H571L-0000Oq-Kf; Thu, 11 Jan 2007 15:59:35 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H571K-0000Ob-Bo for tcpm@ietf.org; Thu, 11 Jan 2007 15:59:34 -0500
Received: from mms1.broadcom.com ([216.31.210.17]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H571E-0001tx-8T for tcpm@ietf.org; Thu, 11 Jan 2007 15:59:34 -0500
Received: from 10.10.64.154 by mms1.broadcom.com with ESMTP (Broadcom SMTP Relay (Email Firewall v6.3.0)); Thu, 11 Jan 2007 12:59:12 -0800
X-Server-Uuid: D7CB97D3-6392-476F-BE46-AB3D6F515C9A
Received: by mail-irva-10.broadcom.com (Postfix, from userid 47) id A0E022AF; Thu, 11 Jan 2007 12:59:12 -0800 (PST)
Received: from mail-irva-8.broadcom.com (mail-irva-8 [10.10.64.221]) by mail-irva-10.broadcom.com (Postfix) with ESMTP id 7C5DF2AE; Thu, 11 Jan 2007 12:59:12 -0800 (PST)
Received: from mail-sj1-12.sj.broadcom.com (mail-sj1-12.sj.broadcom.com [10.16.128.215]) by mail-irva-8.broadcom.com (MOS 3.7.5a-GA) with ESMTP id ETE74774; Thu, 11 Jan 2007 12:59:11 -0800 (PST)
Received: from NT-SJCA-0751.brcm.ad.broadcom.com (nt-sjca-0751 [10.16.192.221]) by mail-sj1-12.sj.broadcom.com (Postfix) with ESMTP id 2BBC620501; Thu, 11 Jan 2007 12:59:11 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: [tcpm] DoS attack from misbehaving receivers
Date: Thu, 11 Jan 2007 12:59:10 -0800
Message-ID: <54AD0F12E08D1541B826BE97C98F99F1EE6E4E@NT-SJCA-0751.brcm.ad.broadcom.com>
In-Reply-To: <20070111202843.GL2944@loompa.cs.umd.edu>
Thread-Topic: [tcpm] DoS attack from misbehaving receivers
Thread-Index: Acc1vyb1fHEnyjCSTvqGmKsYeUMr2gAAsW6Q
From: Caitlin Bestler <caitlinb@broadcom.com>
To: Rob Sherwood <capveg@cs.umd.edu>
X-WSS-ID: 69B87AAA3EK19030157-01-01
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: david.malone@nuim.ie, tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

Rob Sherwood wrote:
> I guess I should probably jump in here somewhere :-)
> 
> On Thu, Jan 11, 2007 at 12:00:59PM -0800, Caitlin Bestler wrote:
>> The proposed test for a non-compliant receiver would seem to require
>> that the sender be non-compliant itself.
> 
> I'm not sure I understand this comment.  Part of the utility
> of the solution is that unmodified receivers can communicate
> with senders that randomly skip segments, because segment
> reordering and dropping is already handled by TCP.
> 

Having the sender skip segments will indeed detect a non-compliant
receiver that acks segments that were never sent. But sending
non-contiguous TCP segments is itself not compliant.

> 
>> For many of the applications cited, wouldn't a more general solution
>> be to apply connection-specific rate limiters at the sender (in the
>> stack or at the application layer)?
> 
> As mentioned in the paper, rate limiting does not prevent the attack.
> The attack is for many servers to send a small amount of TCP
> unfriendly traffic into the network, which results in
> significant traffic in aggregate.  Reducing the rate of
> traffic at any one server only causes the attacker to target
> more servers.
> 

You can generate a large amount of traffic simply sending small
requests that generate large responses and then bit-bucketing
the results. If you are doing so from a botnet you can even
actually receive all of the segments in the distributed clients
before dropping the segments.

Before endorsing a counter-measure that calls for what was
previously non-compliant behavior there should be a showing
that the problem being solved is indeed severe and unique.

If my understanding is correct, the problem is that an attacker
can simulate reception of more material than their actual local
link can support, and thereby trick a large group of senders
into saturating *their* local links and/or intermediate segments.

But is it not correct that the same attack could be launched
from a botnet just as effectively even without faking acks?
Until typical home computers are more secure from being drafted
into a botnet is there a real benefit from this counter-measure?

Having transmitters engage in non-compliant behavour in order
to catch cheaters is a slippery slope best avoided.


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email