[e2e] Redirection-Based Flooding Attacks (was Re: DDoS attack vs.Spoofing of Source Address)
Detlef Bosau
detlef.bosau at web.de
Tue Jan 31 06:17:46 PST 2006
Christian Vogt wrote:
>
> Everybody,
>
> a typical issue with mobility protocols such as Mobile IPv6 [1] or the
> Host Identity Protocol's mobility extensions [2] is that they
> potentially introduce a new form of flooding attack: redirection-based
> flooding attacks.
>
> In waging a redirection-based flooding attack, the perpetrator uses its
> own IP address to request the download of a large file, e.g., through a
> TCP handshake. Once the server begins transmitting this file, the
> attacker redirects the flow to the IP address of its victim, pretending
> to be mobile and to now be reachable via the victim's IP address.
Yes. And because there exists no corresponding socket at the "victim",
the sender will send one CWND worth full of data,
see a number of timeouts and backoffs and eventually die.
O.k., there may be a dozen annoying packets or so.
And of course, there exist more convincing scenarios for your problem
than just a TCP flow ;-)
Despite of this, I´m not fully convinced of the relevance of Mobile IP
and its descendendants. For me, the world
consists of wirebound networks, mobile wide area networs (with their own
L2 infrastructure and micromobility) and perhaps
the one or the other leaf network which appears like an "IEEE....."
network segment. Hence, I dont´t see a compelling reason
for mobile IP. Of course, you mentioned a pontitial security problem in
mobile IP. So, if something is not really necessary
but raises a problem, one possible way out is to forget about this
one:-)
(Yes, of course, I know about the battlefield scenario.... However,
when I look at actual battlefields, I´m not fully convinced
that the lack of MANETs and mobile IP is the dominant problem there...)
>
> Of course, reachability tests take their time and have an impact on
> handoff performance. They thus compromise the quality of
> delay-sensitive real-time applications such as VoIP. But there are ways
I don´t see any sense in VoIP over wireless networks.
If you use VoIP in wirebound networks, which can make sense under
certain conditions, you would direct a VoIP flow to a wireless
terminal using a service that terminates the VoIP flow in the wirebound
network and forwards the voice flow via an ordinary voice stream
using the mobile networks TDM interface.
Detlef
--
Detlef Bosau
Galileistrasse 30
70565 Stuttgart
Mail: detlef.bosau at web.de
Web: http://www.detlef-bosau.de
Mobile: +49 172 681 9937
More information about the end2end-interest
mailing list