IETF Logo Mail Archive

Re: [tcpm] DoS attack from misbehaving receivers

David Malone <David.Malone@nuim.ie> Sat, 13 January 2007 10:59 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5gbW-0007fd-CD; Sat, 13 Jan 2007 05:59:18 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5gbU-0007fS-Mp for tcpm@ietf.org; Sat, 13 Jan 2007 05:59:16 -0500
Received: from kac.cnri.dit.ie ([147.252.67.9]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1H5gbT-00063l-8i for tcpm@ietf.org; Sat, 13 Jan 2007 05:59:16 -0500
Received: from kac.cnri.dit.ie (localhost.cnri.dit.ie [127.0.0.1]) by kac.cnri.dit.ie (8.13.4/8.13.4) with ESMTP id l0DAqbI4083078; Sat, 13 Jan 2007 10:52:37 GMT (envelope-from dwmalone@kac.cnri.dit.ie)
Message-Id: <200701131052.l0DAqbI4083078@kac.cnri.dit.ie>
To: Caitlin Bestler <caitlinb@broadcom.com>
Subject: Re: [tcpm] DoS attack from misbehaving receivers
In-Reply-To: Your message of "Fri, 12 Jan 2007 17:05:20 PST." <54AD0F12E08D1541B826BE97C98F99F1025E8B@NT-SJCA-0751.brcm.ad.broadcom.com>
From: David Malone <David.Malone@nuim.ie>
Date: Sat, 13 Jan 2007 10:52:37 +0000
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

> Documenting the attack is definitely a good idea, and I agree
> that it is essentially a blind ack attack (even though it is a 
> partial blindness, since *some* of the send segments reach
> the attacker).

Yes - indeed. This is kind of important, because it means that the
defences currently described in draft-azcorra-tcpm-tcp-blind-ack-dos
will not be effective.

> Single flows of over 10 Mbits being sent to a stranger over
> the wide internet can be easily flagged at many different 
> layers.

Sometimes this is not so easy - some people want to ship 10Mbps
streams to those that can receive them but do not want send them
to people for whom it will cause congestion (for example, people
providing mirror services). I guess it could be flagged by the
network, but few people want routers to send source quench messages
any more ;-)

To me it seems natural to address this at the TCP layer because it
is essentially an attack on TCP's congestion control mechanism.

> Keep in mind that *any* form of rate shaping will severely
> impact this attack because the attacker will no longer be able
> to predict the timing of tcp sequences.

There's no prediction involved in the attack that we were demoing
- it is entirely deterministic. We just send an ACK for every packet
we get, providing the sequence number is higher than the previous ACK
that we sent.

	David.

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email