Re: [tcpm] DoS attack from misbehaving receivers
Mark Allman <mallman@icir.org> Mon, 05 February 2007 14:25 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HE4mw-0006lN-99; Mon, 05 Feb 2007 09:25:46 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HE4mr-0006eK-GL for tcpm@ietf.org; Mon, 05 Feb 2007 09:25:41 -0500
Received: from pork.icsi.berkeley.edu ([192.150.186.19]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HE4ls-0004mL-0A for tcpm@ietf.org; Mon, 05 Feb 2007 09:24:41 -0500
Received: from guns.icir.org (adsl-69-222-35-58.dsl.bcvloh.ameritech.net [69.222.35.58]) by pork.ICSI.Berkeley.EDU (8.12.11.20060308/8.12.11) with ESMTP id l15EOaPO008799 for <tcpm@ietf.org>; Mon, 5 Feb 2007 06:24:37 -0800
Received: from lawyers.icir.org (adsl-69-222-35-58.dsl.bcvloh.ameritech.net [69.222.35.58]) by guns.icir.org (Postfix) with ESMTP id 5B7EA773385 for <tcpm@ietf.org>; Mon, 5 Feb 2007 09:24:24 -0500 (EST)
Received: from lawyers.icir.org (localhost [127.0.0.1]) by lawyers.icir.org (Postfix) with ESMTP id 893CF17421E for <tcpm@ietf.org>; Mon, 5 Feb 2007 09:24:25 -0500 (EST)
To: tcpm@ietf.org
From: Mark Allman <mallman@icir.org>
Subject: Re: [tcpm] DoS attack from misbehaving receivers
In-Reply-To: <20070113161808.GX2944@loompa.cs.umd.edu>
Organization: ICSI Center for Internet Research (ICIR)
Song-of-the-Day: Mr. Jones
MIME-Version: 1.0
Date: Mon, 05 Feb 2007 09:24:25 -0500
Message-Id: <20070205142425.893CF17421E@lawyers.icir.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: mallman@icir.org
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0428385539=="
Errors-To: tcpm-bounces@ietf.org
I have thought abou this attack and had some spirited discussion with Rob on the topic. I am not greatly worried about it myself. + It is pretty easy to detect this attack (in fact there is a footnote in the paper that says the author's experiments were detected by their network provider!). It is fairly easy to see that more data is being ACKed than is being actually received. + Slammer was a one packet UDP fire and forget situation. It sourced traffic as fast as the attached link could support---no control of any kind. (Other worms have had this property, as well.) We did not see a melting core. So, I am not quite sure I am worried about a botnet of optack-ing boxes coaxing something to happen that has not already happened. + If we think this is a problem that needs a solution, we should think about how to do so without hacking things like changing the sending order. (E.g., a generalized nonce (a la Savage) or something. My two bits ... allman
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] DoS attack from misbehaving receivers Stephen Hemminger
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Christian Huitema
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- Re: [tcpm] DoS attack from misbehaving receivers John Heffner
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers David Malone
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman