[e2e] Redirection-Based Flooding Attacks (was Re: DDoS attack vs.Spoofing of Source Address)

Christian Vogt chvogt at tm.uka.de
Tue Jan 31 23:07:56 PST 2006 

Detlef,

the attacker would have to send TCP acknowledgments in order to make
the TCP sender assume that the packets go to the right IP address.  If 
the mobility protocol allows only for a single address' registration, 
the TCP acknowledgments have to be spoofed.

However, there are also protocols that allow a "mobile" or "multi-homed"
node to register multiple addresses in parallel.  In case the attacker
uses such a protocol, it can send TCP acknowledgments from its own IP
address and have the TCP sender ship its data segments to the victim's
address.  The Host Identity Protocol and, by definition, all 
multi-homing protocols (see, e.g., IETF's Shim working group) have this 
"multi-address" property.

But there is actually another mechanism that can prevent such
redirection-based flooding attacks:  The victim does not know what to do
with the received TCP segments, hence it will send an RST segment and
cause the TCP sender to stop.

In case you use a different transport protocol than TCP, ICMP Port
Unreachable messages would typically be used instead.

A RST segment's sequence number must fit into the TCP sender's receive 
window, otherwise the RST segment will be discarded.  As Mark Doll 
mentioned in a private discussion, the attacker could exploit this by 
advancing the TCP sender's receive window fast enough so that the 
victim's RST segments won't have an effect.  This is even
easier for the attacker if the TCP sender implements the mechanisms
specified in [1].  (The attacker would have to send data packets for 
this, however.)

[1] draft-ietf-tcpm-tcpsecure-03.txt

- Christian

-- 
Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH)
www.tm.uka.de/~chvogt/pubkey/


Detlef Bosau wrote:
> Christian Vogt wrote:
> 
>>Everybody,
>>
>>a typical issue with mobility protocols such as Mobile IPv6 [1] or the
>>Host Identity Protocol's mobility extensions [2] is that they
>>potentially introduce a new form of flooding attack:  redirection-based
>>flooding attacks.
>>
>>In waging a redirection-based flooding attack, the perpetrator uses its
>>own IP address to request the download of a large file, e.g., through a
>>TCP handshake.    Once the server begins transmitting this file, the
>>attacker redirects the flow to the IP address of its victim, pretending
>>to be mobile and to now be reachable via the victim's IP address.
> 
> 
> 
> Yes. And because there exists no corresponding socket at the "victim",
> the sender will send one CWND worth full of data,
> see a number of timeouts and backoffs and eventually die.
> 
> O.k., there may be a dozen annoying packets or so.
> 
> And of course, there exist more convincing scenarios for your problem
> than just a TCP flow ;-)
> 
> Despite of this, I´m not fully convinced of the relevance of Mobile IP
> and its descendendants. For me, the world
> consists of wirebound networks, mobile wide area networs (with their own
> L2 infrastructure and micromobility) and perhaps
> the one or the other leaf network which appears like an "IEEE....."
> network segment. Hence, I dont´t see a compelling reason
> for mobile IP. Of course, you mentioned a pontitial security problem in
> mobile IP. So, if something is not really necessary
> but raises a problem, one possible way out is to forget about this
> one:-)
> 
> (Yes, of course, I know  about the battlefield scenario.... However,
> when I look at actual battlefields, I´m not fully convinced
> that the lack of MANETs and mobile IP is the dominant problem there...)
> 
> 
>>Of course, reachability tests take their time and have an impact on
>>handoff performance.  They thus compromise the quality of
>>delay-sensitive real-time applications such as VoIP.  But there are ways
> 
> 
> I don´t see any sense in VoIP over wireless networks.
> 
> If you use VoIP in wirebound networks, which can make sense under
> certain conditions, you would direct a VoIP flow to a wireless
> terminal using a service that terminates the VoIP flow in the wirebound
> network and forwards the voice flow via an ordinary voice stream
> using the mobile networks TDM interface.
> 
> Detlef

More information about the end2end-interest mailing list