IETF Logo Mail Archive

Re: [tcpm] DoS attack from misbehaving receivers

Rob Sherwood <capveg@cs.umd.edu> Sat, 13 January 2007 16:18 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5laG-0001rK-0S; Sat, 13 Jan 2007 11:18:20 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5laE-0001qJ-H7 for tcpm@ietf.org; Sat, 13 Jan 2007 11:18:18 -0500
Received: from circular.cs.umd.edu ([128.8.128.176]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H5laD-0001le-3W for tcpm@ietf.org; Sat, 13 Jan 2007 11:18:18 -0500
Received: from loompa.cs.umd.edu (loompa.cs.umd.edu [128.8.128.63]) by circular.cs.umd.edu (8.12.11.20060308/8.12.5) with ESMTP id l0DGIFh8014979; Sat, 13 Jan 2007 11:18:15 -0500
Received: (from capveg@localhost) by loompa.cs.umd.edu (8.12.10/8.12.5) id l0DGI9Ud007876; Sat, 13 Jan 2007 11:18:09 -0500 (EST)
Date: Sat, 13 Jan 2007 11:18:08 -0500
From: Rob Sherwood <capveg@cs.umd.edu>
To: Caitlin Bestler <caitlinb@broadcom.com>
Subject: Re: [tcpm] DoS attack from misbehaving receivers
Message-ID: <20070113161808.GX2944@loompa.cs.umd.edu>
References: <200701121201.l0CC1tnv002619@kac.cnri.dit.ie> <54AD0F12E08D1541B826BE97C98F99F1025E8B@NT-SJCA-0751.brcm.ad.broadcom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54AD0F12E08D1541B826BE97C98F99F1025E8B@NT-SJCA-0751.brcm.ad.broadcom.com>
User-Agent: Mutt/1.4.1i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

In addition to David and Gavin's comments:

On Fri, Jan 12, 2007 at 05:05:20PM -0800, Caitlin Bestler wrote:
> Single flows of over 10 Mbits being sent to a stranger over
> the wide internet can be easily flagged at many different 
> layers.

There is no requirement in the attack that any one flow would be large
(10MB or what have you) or in any way anomalous.  As discussed in the
paper, the attacker can simply create many small streams instead of few
large streams such that no intrusion detection system or rate limiting
queue is affected.  Because the ACK stream is used to determine when to
timeout (ACK clocking, forged TCP timestamps), when to send (incoming ACK
frees new segments), and how much to send (the number of new segments
freed), the attacker is in complete control of the connection, and can
shape traffic nearly arbitrarily.  So an intelligent attacker can shape
each connection to appear to be a perfectly "normal" connection to any
other layer then layer4, for any definition of normal.  That is why the
fix to this problem must be at the transmission layer.

> Keep in mind that *any* form of rate shaping will severely
> impact this attack because the attacker will no longer be able
> to predict the timing of tcp sequences.

I do not believe this to be true.  The attack described by David and Gavin
("lazy optack" in my paper) defeats this.  Additionally, the standard
optack attack defeats this when the attack simply ACKs less often (e.g.,
1 ack/500ms) but to more streams for the same total aggregate traffic.
This behavior, as described in the paper, is actually required in practice
to prevent ACKing ahead of sent data, because non-randomized rate TCP
streams naturally have sufficient entropy in the segment generation rate
that this is already a concern.

- Rob
.

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email