Re: [tcpm] mitigating TCP ACK loop ("ACK storm") DoS attacks
"Scharf, Michael (Michael)" <michael.scharf@alcatel-lucent.com> Tue, 17 February 2015 14:17 UTC
Return-Path: <michael.scharf@alcatel-lucent.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A63941A8948 for <tcpm@ietfa.amsl.com>; Tue, 17 Feb 2015 06:17:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rs7M354DCzQ9 for <tcpm@ietfa.amsl.com>; Tue, 17 Feb 2015 06:17:43 -0800 (PST)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 157551A8946 for <tcpm@ietf.org>; Tue, 17 Feb 2015 06:17:42 -0800 (PST)
Received: from fr712usmtp2.zeu.alcatel-lucent.com (unknown [135.239.2.42]) by Websense Email Security Gateway with ESMTPS id 520A459D9D5C5; Tue, 17 Feb 2015 14:17:35 +0000 (GMT)
Received: from FR711WXCHHUB01.zeu.alcatel-lucent.com (fr711wxchhub01.zeu.alcatel-lucent.com [135.239.2.111]) by fr712usmtp2.zeu.alcatel-lucent.com (GMO) with ESMTP id t1HEHUuX024440 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 17 Feb 2015 15:17:35 +0100
Received: from FR712WXCHMBA15.zeu.alcatel-lucent.com ([169.254.7.88]) by FR711WXCHHUB01.zeu.alcatel-lucent.com ([135.239.2.111]) with mapi id 14.03.0195.001; Tue, 17 Feb 2015 15:17:33 +0100
From: "Scharf, Michael (Michael)" <michael.scharf@alcatel-lucent.com>
To: Wesley Eddy <wes@mti-systems.com>, "Zimmermann, Alexander" <Alexander.Zimmermann@netapp.com>, "tcpm@ietf.org" <tcpm@ietf.org>, Neal Cardwell <ncardwell@google.com>
Thread-Topic: [tcpm] mitigating TCP ACK loop ("ACK storm") DoS attacks
Thread-Index: AQHQRNb0z7KIM1grsEi1eg+qn44RgZzpdaYAgAEhhICAClPM8A==
Date: Tue, 17 Feb 2015 14:17:33 +0000
Message-ID: <655C07320163294895BBADA28372AF5D16C030CA@FR712WXCHMBA15.zeu.alcatel-lucent.com>
References: <CADVnQynQ07-=gzUGbBivua17guztXG7hF4u3gk9m1D+sYyB_Fw@mail.gmail.com> <C5E1B080-15EF-4194-9892-9B775A6DA2A4@netapp.com> <54DAAE2B.3020002@mti-systems.com>
In-Reply-To: <54DAAE2B.3020002@mti-systems.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.239.27.38]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpm/IAdpCpJVrz7c0owBtb9Obzy3uR0>
Subject: Re: [tcpm] mitigating TCP ACK loop ("ACK storm") DoS attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 14:17:44 -0000
> > I discussed this patch a bit w/ Neal yesterday. It was not clear to > me > > (and maybe shame on me) that exist cases in which TCP sends an > (DUP)ACK > > in response to a pure ACK. Parts of this „problem“ belongs to RFC793 > > (see background below). It’s maybe a good opportunity to include some > > text about this in RFC793bis. > > > I would be tempted to say "yes", however, to keep from opening the door > to all kinds of changes and making RFC793bis intractable to get > consensus on, I had proposed to only make changes that are already in > other RFCs updating 793 or in verified errata. > > So, maybe someone should submit an errata on this? :) Indeed, this issue should be recorded. Yet, regarding a solution, I wonder if an errata would indeed be sufficient. If the event processing in RFC 793 has to be modified, it seems to modify TCP on-the-wire in this specific corner case. Does somebody know what stacks other than Linux do in this case? Michael (as individual)
- [tcpm] mitigating TCP ACK loop ("ACK storm") DoS … Neal Cardwell
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Zimmermann, Alexander
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Wesley Eddy
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Jeremy Harris
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Neal Cardwell
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Mirja Kühlewind
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Scharf, Michael (Michael)
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Eric Dumazet