[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Minutes / Notes

To: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: Fwd: Minutes / Notes
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Fri, 25 Jul 2003 02:27:50 +0859 ()
Cc: multi6@ops.ietf.org
In-reply-to: <3F200BEA.8070801@nomadiclab.com> from Pekka Nikander at "Jul 24,2003 07:40:10 pm"

Pekka;

> > Yes, lacking proper acknowledgements from 131.112.32.132, the
> > peer will terminate the stream.
> 
> Exactly.
> 
> > That is, you can't send proper acknowledgements, unless you can
> > receive packets to 131.112.32.132, which is the return routability.
> 
> Not true.  If you open a TCP session and receive the first
> few packets, it is easy enough to generate fake ACKs.

Assuming that there is no packet losses and that the attacker
send acks slowly enough, maybe.

> I can dig up a reference if needed.  You can even make
> it look like the bandwidth is much higher than it is,
> thereby clogging a pipe even with just one or few
> streams.

See above.

> All you need to do is to get a stream that
> is originally directed to yourself to be now directed
> to the victim, with the possibility of generating faked
> ACKs.

Note also that there is no victim host. See below.

> Some people claim that it is even easier to fake ACKs
> for some UDP based protocols, but I don't know the details.

You can, of course, design such protocols by yourself.

However, hosts supporting such protocols are compromised from
the beginning.

> > It should also be noted that there is no amplificaiton here that
> > it is no worse than ICMP echo requests with spoofed source addresses.
> 
> Not true, see above.

Actually, it is weaker than echo attack, because packets to XXX is
never received by any IP layer and ICMP host unreachable will
be returned.

> > Yes, similar attack is, for example, possible with
> > 
> >     pnr.iki.fi.         IN MX        10 pnr.iki.fi,
> >     pnr.iki.fi.         IN MX        20 necom830.hpcl.titech.ac.jp
> >     pnr.iki.fi.         IN A         81.17.193.194
> >     necom830.hpcl.titech.ac.jp IN A        131.112.32.132
> > 
> > and sending a lot of erroneous mails from pnr.iki.fi to
> > random recipients.
> > 
> > So?
> 
> The problem is that the attacker is able to make the
> stream to continue uninterrupted, since it can fake
> the acks very easily.

See above.

> If you make a false MX, the MXed host will not
> accept the mail.  Hence, in that case application
> level stops the attack.

Only after the resource of transport and application layers is
wasted, which means a successful DoS attack.

							Masataka Ohta

Follow-Ups:
- Re: Fwd: Minutes / Notes
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>

References:
- Re: Fwd: Minutes / Notes
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>

Prev by Date: Re: Reasonable to use crypto in all communications? (Re: Fwd: Minutes/ Notes)
Next by Date: Re: Minutes / Notes
Previous by thread: Re: Fwd: Minutes / Notes
Next by thread: Re: Fwd: Minutes / Notes
Index(es):
- Date
- Thread