Kiss-o'-death packets?
Sean Donelan
sean at donelan.com
Mon Oct 6 09:40:54 UTC 2003
On Mon, 6 Oct 2003 Valdis.Kletnieks at vt.edu wrote:
> The problem with a 'kiss-o-death' packet is that it needs to be authenticated.
> Otherwise, you can use spoofed packets to DoS somebody. How many lines are in
> your root-DNS hints? And even if we insist on the KoD packet having the query
> ID in it, that's a TINY address space. I can even feed you spam to force you
> to hit the DNS, trickle you some forged KoD packets, and within a day or so
> make you refuse to talk to any of the root nameservers... (Note that TCP
> connections are a lot more easily dealt with, as the 3-packet handshake adds a
> lot to the security. However, Wesel's numbers on "98% of the root DNS traffic
> is bogus" indicate that we really need this on the UDP side of the fence as
> well....)
That's why I mentioned the 4-way handshake, and the need for it in many
different protocols. Its authenticated based on the end-to-end
communication, but not on a higher authority (e.g. PKI). Man in the
middle attacks exist, but MITM could disrupt the communications anyway.
Phase I
Send IP packet ->
<- ICMP GoAway + nonce + header&64 bytes of packet
Match sent IP packet?
No -> Ignore
Duplicate -> Ignore (i.e. received a reply from the "real" host)
Yes -> Sender is now informed of the possible problem
Phase II
The next phase could be TCP, UDP, SSL, whatever. I made it ICMP for
simplicity. In phase II the source (or edge or firewall) confirms
the intention/desire of the destination host to drop the unwanted
packets.
Send ICMP Block + nonce + header&64 bytes of ICMP GoAway ->
Match sent ICMP GoAway?
No -> Reply no block
Yes -> Reply with block code
<- ICMP Block Reply + header&64 bytes of ICMP Block
Code (no block, host, protocol, port, source)
Match sent ICMP Block?
No -> Ignore
Yes
No block -> Ignore
Block host, protocol, port or source ->
Locally respond to future packets to host/protocol/port/source
as Destination Unreachable
Set dampening timer, remove block when expires
More information about the NANOG
mailing list