[63453] in North American Network Operators' Group
Re: Kiss-o'-death packets?
daemon@ATHENA.MIT.EDU (Sean Donelan)
Mon Oct 6 05:41:31 2003
Date: Mon, 6 Oct 2003 05:40:54 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: Valdis.Kletnieks@vt.edu
Cc: nanog@merit.edu
In-Reply-To: <200310060711.h967BLCE022450@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 6 Oct 2003 Valdis.Kletnieks@vt.edu wrote:
> The problem with a 'kiss-o-death' packet is that it needs to be authenticated.
> Otherwise, you can use spoofed packets to DoS somebody. How many lines are in
> your root-DNS hints? And even if we insist on the KoD packet having the query
> ID in it, that's a TINY address space. I can even feed you spam to force you
> to hit the DNS, trickle you some forged KoD packets, and within a day or so
> make you refuse to talk to any of the root nameservers... (Note that TCP
> connections are a lot more easily dealt with, as the 3-packet handshake adds a
> lot to the security. However, Wesel's numbers on "98% of the root DNS traffic
> is bogus" indicate that we really need this on the UDP side of the fence as
> well....)
That's why I mentioned the 4-way handshake, and the need for it in many
different protocols. Its authenticated based on the end-to-end
communication, but not on a higher authority (e.g. PKI). Man in the
middle attacks exist, but MITM could disrupt the communications anyway.
Phase I
Send IP packet ->
<- ICMP GoAway + nonce + header&64 bytes of packet
Match sent IP packet?
No -> Ignore
Duplicate -> Ignore (i.e. received a reply from the "real" host)
Yes -> Sender is now informed of the possible problem
Phase II
The next phase could be TCP, UDP, SSL, whatever. I made it ICMP for
simplicity. In phase II the source (or edge or firewall) confirms
the intention/desire of the destination host to drop the unwanted
packets.
Send ICMP Block + nonce + header&64 bytes of ICMP GoAway ->
Match sent ICMP GoAway?
No -> Reply no block
Yes -> Reply with block code
<- ICMP Block Reply + header&64 bytes of ICMP Block
Code (no block, host, protocol, port, source)
Match sent ICMP Block?
No -> Ignore
Yes
No block -> Ignore
Block host, protocol, port or source ->
Locally respond to future packets to host/protocol/port/source
as Destination Unreachable
Set dampening timer, remove block when expires
