nanog mailing list archives
Re: Kiss-o'-death packets?
From: Sean Donelan <sean () donelan com>
Date: Mon, 6 Oct 2003 05:40:54 -0400 (EDT)
On Mon, 6 Oct 2003 Valdis.Kletnieks () vt edu wrote:
The problem with a 'kiss-o-death' packet is that it needs to be authenticated. Otherwise, you can use spoofed packets to DoS somebody. How many lines are in your root-DNS hints? And even if we insist on the KoD packet having the query ID in it, that's a TINY address space. I can even feed you spam to force you to hit the DNS, trickle you some forged KoD packets, and within a day or so make you refuse to talk to any of the root nameservers... (Note that TCP connections are a lot more easily dealt with, as the 3-packet handshake adds a lot to the security. However, Wesel's numbers on "98% of the root DNS traffic is bogus" indicate that we really need this on the UDP side of the fence as well....)
That's why I mentioned the 4-way handshake, and the need for it in many
different protocols. Its authenticated based on the end-to-end
communication, but not on a higher authority (e.g. PKI). Man in the
middle attacks exist, but MITM could disrupt the communications anyway.
Phase I
Send IP packet ->
<- ICMP GoAway + nonce + header&64 bytes of packet
Match sent IP packet?
No -> Ignore
Duplicate -> Ignore (i.e. received a reply from the "real" host)
Yes -> Sender is now informed of the possible problem
Phase II
The next phase could be TCP, UDP, SSL, whatever. I made it ICMP for
simplicity. In phase II the source (or edge or firewall) confirms
the intention/desire of the destination host to drop the unwanted
packets.
Send ICMP Block + nonce + header&64 bytes of ICMP GoAway ->
Match sent ICMP GoAway?
No -> Reply no block
Yes -> Reply with block code
<- ICMP Block Reply + header&64 bytes of ICMP Block
Code (no block, host, protocol, port, source)
Match sent ICMP Block?
No -> Ignore
Yes
No block -> Ignore
Block host, protocol, port or source ->
Locally respond to future packets to host/protocol/port/source
as Destination Unreachable
Set dampening timer, remove block when expires
Current thread:
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?), (continued)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Suresh Ramasubramanian (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Valdis . Kletnieks (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Matthew Sullivan (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Sean Donelan (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Matthew Sullivan (Oct 05)
- Re: Is there anything that actually gets users to fix their computers? Robert Boyle (Oct 05)
- Re: Is there anything that actually gets users to fix their computers? Valdis . Kletnieks (Oct 05)
- Kiss-o'-death packets? Sean Donelan (Oct 05)
- Re: Kiss-o'-death packets? Paul (Oct 05)
- Re: Kiss-o'-death packets? Valdis . Kletnieks (Oct 06)
- Re: Kiss-o'-death packets? Sean Donelan (Oct 06)
- Re: Kiss-o'-death packets? Peter Galbavy (Oct 06)
- Re: Kiss-o'-death packets? Sean Donelan (Oct 06)
- Re: Kiss-o'-death packets? Peter Galbavy (Oct 06)
- Re: Kiss-o'-death packets? E.B. Dreger (Oct 06)
- Re: Kiss-o'-death packets? Peter Galbavy (Oct 06)
- Re: Kiss-o'-death packets? E.B. Dreger (Oct 06)
- Re: Is there anything that actually gets users to fix their computers? Suresh Ramasubramanian (Oct 05)
- Re: Is there anything that actually gets users to fix their computers? Sean Donelan (Oct 03)
- Re: Is there anything that actually gets users to fix their computers? Erik-Jan Bos (Oct 03)
- Re: Is there anything that actually gets users to fix their computers? Daniel Karrenberg (Oct 03)