Re: [tcpm] DoS attack from misbehaving receivers
Gavin McCullagh <gavin.mccullagh@nuim.ie> Sat, 13 January 2007 11:36 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5hBN-00054C-HE; Sat, 13 Jan 2007 06:36:21 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5hBM-000542-AY for tcpm@ietf.org; Sat, 13 Jan 2007 06:36:20 -0500
Received: from mail.nuim.ie ([149.157.1.19] helo=LARCH.MAY.IE) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H5hBG-0002nC-Tf for tcpm@ietf.org; Sat, 13 Jan 2007 06:36:20 -0500
Received: from retina-bcl.hamilton.local ([149.157.192.252]) by NUIM.IE (PMDF V6.2-X17 #30789) with ESMTPA id <01MBVNUUOMMK00ZQE2@NUIM.IE> for tcpm@ietf.org; Sat, 13 Jan 2007 11:36:29 +0000 (GMT)
Received: from gavinmc by retina-bcl.hamilton.local with local (Exim 4.50) id 1H5hB7-0004i0-7e; Sat, 13 Jan 2007 11:36:05 +0000
Date: Sat, 13 Jan 2007 11:36:05 +0000
From: Gavin McCullagh <gavin.mccullagh@nuim.ie>
Subject: Re: [tcpm] DoS attack from misbehaving receivers
In-reply-to: <54AD0F12E08D1541B826BE97C98F99F1025E8B@NT-SJCA-0751.brcm.ad.broadcom.com>
To: Caitlin Bestler <caitlinb@broadcom.com>
Message-id: <20070113113605.GA1127@nuim.ie>
MIME-version: 1.0
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Content-disposition: inline
User-Agent: Mutt/1.5.9i
References: <200701121201.l0CC1tnv002619@kac.cnri.dit.ie> <54AD0F12E08D1541B826BE97C98F99F1025E8B@NT-SJCA-0751.brcm.ad.broadcom.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Gavin McCullagh <gavin.mccullagh@nuim.ie>
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
Hi, On Fri, 12 Jan 2007, Caitlin Bestler wrote: > But I still don't see doing anything non-standard in the TCP > stack as a counter-measure. Of course, if it were well thought-out enough to be made part of the standard then it ceases to be non-standard :-) > Single flows of over 10 Mbits being sent to a stranger over the wide > internet can be easily flagged at many different layers. I think expecting every potentially large-data TCP application to implement rate-limiting is odd when the danger can only be understood at the transport layer. We'd be expecting every sysadmin to make some guess what their cap should be. Should it be half of their uplink, a tenth, a hundredth? Is it a function also of the number of connections they expect today or even of the number of attackers? What if the attack is not on the sender but on some narrower bottleneck between the sender and the attacker? It's a workaround in some instances but I don't see how it could be a solution to this problem. > Keep in mind that *any* form of rate shaping will severely > impact this attack because the attacker will no longer be able > to predict the timing of tcp sequences. Perhaps I've misunderstood you here, but I don't think this would prevent the attack we have implemented. What the attack does is simply to acknowledge those packets which are received regardless of whether they are in sequence. There's no prediction at all. As the attack progresses, a constant number of acks is sent -- one for each packet received, but the amount of data being acknowledged grows linearly (though some ack division could probably improve on that). http://www.hamilton.ie/gavinmc/drop_dupack_attack/ In a sense "optimistic acking" is not really the best name for this incarnation of the attack. Perhaps better names might be "out of sequence acking", "hole acking" or just plain "dishonest acking" to cover the multitude. > Slightly random rate shaping has no impact on TCP, and could easily be > just as effective. I'm not sure if you mean variation of MSS or of the congestion avoidance increase? Again, I'm often wrong but I don't think that's effective against the above attack. Gavin _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] DoS attack from misbehaving receivers Stephen Hemminger
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- RE: [tcpm] DoS attack from misbehaving receivers Christian Huitema
- Re: [tcpm] DoS attack from misbehaving receivers Joe Touch
- Re: [tcpm] DoS attack from misbehaving receivers John Heffner
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- RE: [tcpm] DoS attack from misbehaving receivers Caitlin Bestler
- Re: [tcpm] DoS attack from misbehaving receivers David Malone
- Re: [tcpm] DoS attack from misbehaving receivers Gavin McCullagh
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman
- Re: [tcpm] DoS attack from misbehaving receivers Rob Sherwood
- Re: [tcpm] DoS attack from misbehaving receivers Mark Allman