Re: [tcpm] DoS attack from misbehaving receivers
John Heffner <jheffner@psc.edu> Thu, 11 January 2007 22:15 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H58Cn-0003kn-C3; Thu, 11 Jan 2007 17:15:29 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H58Cm-0003ja-9K for tcpm@ietf.org; Thu, 11 Jan 2007 17:15:28 -0500
Received: from mailer1.psc.edu ([128.182.58.100]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H58Cl-0004E2-0a for tcpm@ietf.org; Thu, 11 Jan 2007 17:15:28 -0500
Received: from [128.182.160.132] (ice.psc.edu [128.182.160.132]) (authenticated bits=0) by mailer1.psc.edu (8.13.8/8.13.3) with ESMTP id l0BMFPsx006080 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 11 Jan 2007 17:15:26 -0500 (EST)
Message-ID: <45A6B6FC.7020000@psc.edu>
Date: Thu, 11 Jan 2007 17:15:24 -0500
From: John Heffner <jheffner@psc.edu>
User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207)
MIME-Version: 1.0
To: Rob Sherwood <capveg@cs.umd.edu>
Subject: Re: [tcpm] DoS attack from misbehaving receivers
References: <20070111202843.GL2944@loompa.cs.umd.edu> <54AD0F12E08D1541B826BE97C98F99F1EE6E4E@NT-SJCA-0751.brcm.ad.broadcom.com> <20070111212732.GM2944@loompa.cs.umd.edu>
In-Reply-To: <20070111212732.GM2944@loompa.cs.umd.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: david.malone@nuim.ie, tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
Rob Sherwood wrote: >> Before endorsing a counter-measure that calls for what was >> previously non-compliant behavior there should be a showing >> that the problem being solved is indeed severe and unique. > > Agreed. This is the crux of the discussion: is this attack severe > enough to motivate the admittedly invasive change to the TCP stack. Yep. >> If my understanding is correct, the problem is that an attacker >> can simulate reception of more material than their actual local >> link can support, and thereby trick a large group of senders >> into saturating *their* local links and/or intermediate segments. > > This is mostly correct. The true concern is that *backbone* links, > not just local links, will be saturated, bringing about, as the title > suggests, Internet-wide congestion collapse. It is this concern that > I feel motivates the need to change the specification. The links with heavily aggregated traffic from local or regional ISPs up to the tier 1 ISPs are almost always bandwidth capped, and are almost always purchased in such that they are able to carry "just enough" traffic -- that is, it's pegged for at least some of the time. (Who wants to pay for more than they use?) The core of the Internet today is provisioned to handle the load. It seems to me the threat of Internet-wide congestion collapse is a bit overstated these days. (This also applies to recent congestion control discussions.) I could see this attack as being effective at saturating something like a university's access link where a small number of well-connected servers could severely congest it. However, in my experience, server and network admins are very reluctant to run any sort of service that will stream arbitrary amounts of data as fast as they can. (I've sometimes tried to get such services made available for measurement purposes.) The defense proposed in the paper is pretty cool, but implementing it and running it on a production machine would make me a bit nervous. If this were a significant problem, you could always turn on bandwidth caps in the server application or in the kernel's networking system. This would probably be my favored approach. In reality, I've never heard of this attack being perpetrated in the wild, while DDOS is quite common. -John _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] DoS attack from misbehaving receivers Stephen Hemminger
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Christian Huitema
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- Re: [tcpm] DoS attack from misbehaving receivers John Heffner
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers David Malone
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman