Internet DRAFT - draft-byrne-opsec-udp-advisory
draft-byrne-opsec-udp-advisory
INTERNET-DRAFT C. Byrne
Intended Status: Informational J. Kleberg
Expires: January 21, 2016 July 20, 2015
Advisory Guidelines for UDP Deployment
draft-byrne-opsec-udp-advisory-00
Abstract
User Datagram Protocol (UDP) is commonly used as a volumetric attack
transport on the internet. Some network operators experience surges
of UDP attack traffic that are multiple orders of magnitude above the
baseline traffic rate for UDP. Application developers should be
advised that UDP is being rate-limited on a bits-per-second and
packet-per-second basis by network operators to enforce known good
baseline traffic levels for UDP. UDP has been abused to such an
extent that legitimate use may become collateral damage and
application and protocol developers should avoid using UDP as a
transport when possible.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright and License Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
Byrne Expires January 21, 2016 [Page 1]
INTERNET DRAFT Advisory Guidelines for UDP Deployment July 20, 2015
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Threat from UDP . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Recommendations for Application and Protocol Developers . . . . 3
4 Recommendations for Network Operators . . . . . . . . . . . . . 3
3 Security Considerations . . . . . . . . . . . . . . . . . . . . 4
4 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
5 References . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1 Normative References . . . . . . . . . . . . . . . . . . . 4
5.2 Informative References . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5
Byrne Expires January 21, 2016 [Page 2]
INTERNET DRAFT Advisory Guidelines for UDP Deployment July 20, 2015
1 Introduction
The User Datagram Protocol (UDP) [RFC0768] provides a minimal,
unreliable, best-effort, message-passing transport to applications
and other protocols (such as tunnels) that desire to operate over UDP
[I-D.draft-ietf-tsvwg-rfc5405bis]. Since UDP does not establish an
end-to-end connection at the transport layer, it is possible to carry
out a source IP address spoofed distributed reflective denial-of-
service attack (DRDoS)[ROSSOW]. Large amplification attacks have
happened for years on a daily basis and are having a widespread
negative impact on the internet [US-CERT].
2 Threat from UDP
Simplicity is the strength of UDP. Simplicity is also UDP's
weakness. UDP allows a single packet response from an application.
TCP [RFC793] and SCTP [RFC4960] operate differently. TCP has a three-
way handshake and SCTP has a four-way handshake, and thus they verify
the reverse path will accept the communication within the transport
layer prior to the application layer engaging. Since UDP does not do
any of this handshaking in the transport layer, the applications are
left to create their own procedure for responding to network
communication initiation. In the case of SNMP, NTP, CHARGEN, and
DNS, a single spoofed IP packet can generate a much larger response
to an attack target in many deployments. The result is that several
of these UDP deployments covering millions of internet nodes allow an
attacker to hide the true source of the attack and amplify the
magnitude of the attack by reflecting off of widely deployed UDP
services on the internet [ROSSOW].
3 Recommendations for Application and Protocol Developers
1. Application and protocol developers should avoid using UDP. The
abuse of UDP for DRDoS on the internet has made UDP subject to
aggressive filtering at the transport protocol level.
2. If UDP must be used, encapsulate it in IPsec [RFC4303] to avoid
matching IP protocol 17 filters.
3. In the case of WebRTC [I-D.draft-ietf-rtcweb-transports], TURN
[RFC5766] should be used to concentrate and manage a known-good
UDP flows. It is also recommended that WebRTC evolve to support
native SCTP transport.
4. In the case of QUIC [I-D.draft-tsvwg-quic-protocol] and other
transport innovations, a new IANA assigned protocol number should
be used to meaningful differentiates traffic from commonly abused
UDP services.
4 Recommendations for Network Operators
Byrne Expires January 21, 2016 [Page 3]
INTERNET DRAFT Advisory Guidelines for UDP Deployment July 20, 2015
1. To prevent the spoofed reflection attacks, all network operators
should implement anti-spoof address filtering [RFC2827]. This
prevents the trigger of the DRDoS.
2. Network operators should govern the types of systems that offer
UDP services. This stewardship of directly attached nodes limits
the fleet of nodes offering UDP services that could be abused for
DRDoS.
3. Network operators should baseline and rate-limit UDP for bits-per-
second and packets-per-second. This effort acts as protection
mechanism to prevent unexpected large UDP flows that are highly
likely to be DRDoS from propagating across the internet.
3 Security Considerations
The continued abuse of UDP is a material security threat to the
availability of the internet. While mitigating the threat at the
node implementation level would be ideal, years of experience has
demonstrated this is not broadly effective. While improving overall
network availability by limiting UDP, it is likely that several
important protocols will be negatively impacted including DNS,
DNSSEC, DTLS, SRTP, UDP encapsulated IPsec and others.
4 IANA Considerations
None.
5 References
5.1 Normative References
[RFC768] Postel, J., "User Datagram Protocol", RFC768, August 1980.
[RFC2827] Ferguson, P., D Senie., "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", RFC2827, BCP38, May 2000.
[RFC4303] Kent, S., "IP Encapsulating Security", RFC4303, December
2005.
[RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", RFC 5766, April 2010.
[ROSSOW] Rossow, C., "Amplification Hell: Revisiting Network
Protocols for DDoS Abuse",
https://www.internetsociety.org/sites/default/files/01_5.pdf
Byrne Expires January 21, 2016 [Page 4]
INTERNET DRAFT Advisory Guidelines for UDP Deployment July 20, 2015
, February 2014.
5.2 Informative References
[I-D.draft-ietf-rtcweb-transports] Alvestrand,H., "Transports for
WebRTC", draft-ietf-rtcweb-transports-09 (work in
progress), July 2015.
[I-D.draft-ietf-tsvwg-rfc5405bis] Eggert, C., G. Fairhurst., G.
Shepherd, "UDP Usage Guidelines", draft-ietf-tsvwg-
rfc5405bis-03 (work in progress), July 2015.
[I-D.draft-tsvwg-quic-protocol] Hamilton, R., J. Iyengar, I. Swett,
A. Wilk., "QUIC: A UDP-Based Secure and Reliable Transport
for HTTP/2", draft-tsvwg-quic-protocol-01 (work in
progress), July 2015.
[RFC793] Postel, J., "Transport Control Protocol", RFC793,
September 1981.
[RFC4960] Stewart, R., "Stream Control Transmission Protocol",
RFC4960, September 2007.
[US-CERT] US-CERT,"Alert (TA14-017A) UDP-Based Amplification
Attacks", https://www.us-cert.gov/ncas/alerts/TA14-017A,
2015.
Authors' Addresses
Cameron Byrne
Bellevue, WA, USA
EMail: Cameron.Byrne@T-Mobile.com
Jason Kleberg
Bellevue, WA, USA
EMail: Jason.Kleberg@T-Mobile.com
Byrne Expires January 21, 2016 [Page 5]