IETF Logo Mail Archive

Re: [tcpm] DoS attack from misbehaving receivers

Mark Allman <mallman@icir.org> Mon, 05 February 2007 14:25 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HE4mw-0006lN-99; Mon, 05 Feb 2007 09:25:46 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HE4mr-0006eK-GL for tcpm@ietf.org; Mon, 05 Feb 2007 09:25:41 -0500
Received: from pork.icsi.berkeley.edu ([192.150.186.19]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HE4ls-0004mL-0A for tcpm@ietf.org; Mon, 05 Feb 2007 09:24:41 -0500
Received: from guns.icir.org (adsl-69-222-35-58.dsl.bcvloh.ameritech.net [69.222.35.58]) by pork.ICSI.Berkeley.EDU (8.12.11.20060308/8.12.11) with ESMTP id l15EOaPO008799 for <tcpm@ietf.org>; Mon, 5 Feb 2007 06:24:37 -0800
Received: from lawyers.icir.org (adsl-69-222-35-58.dsl.bcvloh.ameritech.net [69.222.35.58]) by guns.icir.org (Postfix) with ESMTP id 5B7EA773385 for <tcpm@ietf.org>; Mon, 5 Feb 2007 09:24:24 -0500 (EST)
Received: from lawyers.icir.org (localhost [127.0.0.1]) by lawyers.icir.org (Postfix) with ESMTP id 893CF17421E for <tcpm@ietf.org>; Mon, 5 Feb 2007 09:24:25 -0500 (EST)
To: tcpm@ietf.org
From: Mark Allman <mallman@icir.org>
Subject: Re: [tcpm] DoS attack from misbehaving receivers
In-Reply-To: <20070113161808.GX2944@loompa.cs.umd.edu>
Organization: ICSI Center for Internet Research (ICIR)
Song-of-the-Day: Mr. Jones
MIME-Version: 1.0
Date: Mon, 05 Feb 2007 09:24:25 -0500
Message-Id: <20070205142425.893CF17421E@lawyers.icir.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: mallman@icir.org
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0428385539=="
Errors-To: tcpm-bounces@ietf.org

I have thought abou this attack and had some spirited discussion with
Rob on the topic.  I am not greatly worried about it myself.

  + It is pretty easy to detect this attack (in fact there is a footnote
    in the paper that says the author's experiments were detected by
    their network provider!).  It is fairly easy to see that more data
    is being ACKed than is being actually received.

  + Slammer was a one packet UDP fire and forget situation.  It sourced
    traffic as fast as the attached link could support---no control of
    any kind.  (Other worms have had this property, as well.)  We did
    not see a melting core.  So, I am not quite sure I am worried about
    a botnet of optack-ing boxes coaxing something to happen that has
    not already happened.

  + If we think this is a problem that needs a solution, we should think
    about how to do so without hacking things like changing the sending
    order.  (E.g., a generalized nonce (a la Savage) or something.

My two bits ...

allman




_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email