[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using cookies to defeat syn-flooding

To: ipsec@TIS.COM, rivest@theory.lcs.mit.edu
Subject: Re: Using cookies to defeat syn-flooding
From: touch@isi.edu
Date: Mon, 23 Sep 1996 09:37:10 -0700
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Posted-Date: Mon, 23 Sep 1996 09:37:10 -0700
Sender: ipsec-approval@neptune.tis.com

> From ipsec-request@neptune.hq.tis.com Mon Sep 23 05:51:48 1996
> From: Ron Rivest <rivest@theory.lcs.mit.edu>
> Date: Fri, 20 Sep 96 17:14:38 EDT
> To: ipsec@tis.com
> Subject: Using cookies to defeat syn-flooding
> 
> 
> Here is a thought on a scheme for defeating swamping (syn-flooding)
> attacks, together with an improvement suggested by Butler Lampson.
> Since I'm not an expert on network protocols, it needs review by those
> who are...
> 
> Flooding attack (paragraph to define problem and establish terminology):
> 
...
> The idea:
> 
> Defer A's allocation of resources until A has some confirmation that 
> B is "real". (I.e. until the third message of the three-message protocol
> is received from B).

This is the key issue - deferring resources. As others have
pointed out, this includes CPU time.

> How:
> 
> When A receives the first SYN packet, it does NOT generate a queue
> entry.  Rather, it sends B, as part of its return SYN packet, 
> a "cookie" that contains the information that the queue entry would have:
> 	-- source id of the SYN packet received
> 	-- when to time the connection request out
> 	-- port number
> 	-- other stuff (?)
> The cookie would contain this material in the clear, together with
> a cryptographic checksum (MAC) on this data, computing from the data
> of the cookie and a secret key known only to machine A. 

> When B replies, he returns the cookie, which A checks.  A cookie with
> an invalid MAC is discarded.  A cookie with a good MAC that has not
> timed out and which has not already been honored will generate a new

The time-out, together with the resources to store the cookie
and associated info, is the resource that needs to be
deferred.

So this has the same problem. Rather than tying up a TCP control block, 
this will tie-up your "cookie" table.

The presumption here must be that, by sending a cookie, the receiver
can time-out quicker. This can't occur, since a gap in the cookie-exchange 
has no effect on the timeout of the TCP connection establishment.

Joe
----------------------------------------------------------------------
Joe Touch - touch@isi.edu		    http://www.isi.edu/~touch/
ISI / Project Leader, ATOMIC-2, LSAM       http://www.isi.edu/atomic2/
USC / Research Assistant Prof.                http://www.isi.edu/lsam/

From: "carlisle (c.m.) adams" <cadams@nortel.ca>
Message-Id:  <"1680 Mon Sep 23 10:32:20 1996"@bnr.ca> 
To: jkennedy@cylink.com
Cc: johnmarc@cylink.com, ipsec@TIS.COM, ietf-pkix@tandem.com, 
    isakmp-oakley@cisco.com, skip-info@tik.ee.ethz.ch
Subject:  re:NOTICE: DSS Profile for X.509 Certificates to be deleted. 
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Date: Mon, 23 Sep 96 12:39:20 EDT



In message "NOTICE: DSS Profile for X.509 Certificates to be deleted.", 
jkennedy@cylink.com writes:

>
>I received the following message from the Internet-Drafts Administrator about 
>a month ago regarding the deletion of the I-D John Marchioni and I co-authored 
>on a "DSS Profile for X.509 Certificates".  This draft was submitted only as 
>an interim solution since the PKIX was just coming up to speed and had not yet 
>included this material in the PKIX draft.  I do not know exactly what the 
>status of the X.509 DSS profile is in the PKIX document so I am sharing this 
>current status information with you now.  As far as I know DSS Certificates 
>are being used in both the SKIP and ISAKMP/Oakley reference implementations 
>and the aforementioned draft is cited in the applicable I-D's for these key 
>management protocols.
>
>I have a number of choices:
>
>a) Do nothing and let the draft gracefully expire.
>b) Update and submit a revised draft of draft-ietf-ipsec-dss-cert-00.txt.
>c) Pester the PKIX editors to make sure this material gets absorbed into their 
>next draft if it is not already there. (hint, hint...:) )
>
>My preference and intention is to do (a) and (c) and at most submit a revised 
>draft that simply points to PKIX.  It is not clear that a revised draft is 
>even necessary if current IPSEC and other working group drafts which point to 
>draft-ietf-ipsec-dss-cert-00.txt are revised to now point to pkix-3.


Do you really mean "pkix-3" here, or do you mean "pkix-1".  Part three is
the certificate management protocols -- it's not clear to me that a DSS profile
for X.509 certificates belongs there.  Or am I missing something?

Carlisle.



From: Ran Atkinson <rja@inet.org>
Reply-To: rja1@home.net
Organization: The Internet Guild
X-Mailer: Mozilla 3.0 (Win95; I)
Mime-Version: 1.0
To: senvad@hotmail.com
Cc: ipsec@TIS.COM
Subject: IPsec Security Association attributes
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Date: Mon, 23 Sep 96 13:18:23 EDT
Message-ID:  <9609231318.aa01788@neptune.TIS.COM>

Hi,

  Please go read RFC-1825, available online from
ftp://ds.internic.net/rfc/rfc1825.txt, where the attributes
of an IPsec Security Association are defined.

  If you're looking for reference code, I usually recommend
examining the NRL IPsec source code for 4.4 BSD available from
	http://web.mit.edu/network/isakmp/
OR	ftp://ftp.ripe.net/ipv6/nrl/

Thanks,

Ran
rja@inet.org

Prev by Date: Re: Resistance to swamping attacks via Kim Tom's idea
Next by Date: Re: Using cookies to defeat syn-flooding
Prev by thread: Re: Using cookies to defeat syn-flooding
Next by thread: Re: Using cookies to defeat syn-flooding
Index(es):
- Main
- Thread