Re: [tcpm] DoS attack from misbehaving receivers
Rob Sherwood <capveg@cs.umd.edu> Sat, 13 January 2007 16:18 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5laG-0001rK-0S; Sat, 13 Jan 2007 11:18:20 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5laE-0001qJ-H7 for tcpm@ietf.org; Sat, 13 Jan 2007 11:18:18 -0500
Received: from circular.cs.umd.edu ([128.8.128.176]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H5laD-0001le-3W for tcpm@ietf.org; Sat, 13 Jan 2007 11:18:18 -0500
Received: from loompa.cs.umd.edu (loompa.cs.umd.edu [128.8.128.63]) by circular.cs.umd.edu (8.12.11.20060308/8.12.5) with ESMTP id l0DGIFh8014979; Sat, 13 Jan 2007 11:18:15 -0500
Received: (from capveg@localhost) by loompa.cs.umd.edu (8.12.10/8.12.5) id l0DGI9Ud007876; Sat, 13 Jan 2007 11:18:09 -0500 (EST)
Date: Sat, 13 Jan 2007 11:18:08 -0500
From: Rob Sherwood <capveg@cs.umd.edu>
To: Caitlin Bestler <caitlinb@broadcom.com>
Subject: Re: [tcpm] DoS attack from misbehaving receivers
Message-ID: <20070113161808.GX2944@loompa.cs.umd.edu>
References: <200701121201.l0CC1tnv002619@kac.cnri.dit.ie> <54AD0F12E08D1541B826BE97C98F99F1025E8B@NT-SJCA-0751.brcm.ad.broadcom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54AD0F12E08D1541B826BE97C98F99F1025E8B@NT-SJCA-0751.brcm.ad.broadcom.com>
User-Agent: Mutt/1.4.1i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
In addition to David and Gavin's comments: On Fri, Jan 12, 2007 at 05:05:20PM -0800, Caitlin Bestler wrote: > Single flows of over 10 Mbits being sent to a stranger over > the wide internet can be easily flagged at many different > layers. There is no requirement in the attack that any one flow would be large (10MB or what have you) or in any way anomalous. As discussed in the paper, the attacker can simply create many small streams instead of few large streams such that no intrusion detection system or rate limiting queue is affected. Because the ACK stream is used to determine when to timeout (ACK clocking, forged TCP timestamps), when to send (incoming ACK frees new segments), and how much to send (the number of new segments freed), the attacker is in complete control of the connection, and can shape traffic nearly arbitrarily. So an intelligent attacker can shape each connection to appear to be a perfectly "normal" connection to any other layer then layer4, for any definition of normal. That is why the fix to this problem must be at the transmission layer. > Keep in mind that *any* form of rate shaping will severely > impact this attack because the attacker will no longer be able > to predict the timing of tcp sequences. I do not believe this to be true. The attack described by David and Gavin ("lazy optack" in my paper) defeats this. Additionally, the standard optack attack defeats this when the attack simply ACKs less often (e.g., 1 ack/500ms) but to more streams for the same total aggregate traffic. This behavior, as described in the paper, is actually required in practice to prevent ACKing ahead of sent data, because non-randomized rate TCP streams naturally have sufficient entropy in the segment generation rate that this is already a concern. - Rob . _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] DoS attack from misbehaving receivers Stephen Hemminger
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Christian Huitema
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- Re: [tcpm] DoS attack from misbehaving receivers John Heffner
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers David Malone
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman