Internet DRAFT - draft-lvelvindron-ack-throttling
draft-lvelvindron-ack-throttling
Network Working Group L. Velvindron
Internet-Draft September 11, 2018
Intended status: Informational
Expires: March 15, 2019
Handling of TCP ACK throttling
draft-lvelvindron-ack-throttling-03
Abstract
The functionality provided by the TCP ACK throttling mechanism can be
exploited as a side channel vulnerablity to terminate connections
between two arbitrary hosts and inject data in the communication
stream.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 15, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Velvindron Expires March 15, 2019 [Page 1]
Internet-Draft Handling of TCP ACK throttling September 2018
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2
2. Recommendation for ACK throttling mechanism . . . . . . . . . 3
3. Operations . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
5. Security Considerations . . . . . . . . . . . . . . . . . . . 3
6. Normative References . . . . . . . . . . . . . . . . . . . . 3
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
[RFC5961] defines the challenge ACK response mechanism as a technique
to mitigate against blind in-window attacks. Specifically, an ACK
packet is sent in response to an incoming segment with a SYN bit to
confirm that the preceding connection was lost. Another case is
sending an ACK packet if the RST packet is received but the sequence
number does not match the next expected sequence number. Lastly, to
prevent data injection, the range of valid ACK value is reduced for
better strictness, so the likelihood of old ACK values and very new
ACK values are discarded. In all of those cases, the ACK packet is
referrered to as a "Challenge ACK" through the rest of this document.
[RFC5961] also introduces an ACK throttling mechanism to reduce
possible wastage of CPU and bandwidth resources by limiting the
number of challenge ACK that can be sent in a given interval.
An attacker can leverage the Challenge ACK and the ACK throttling
mechanism to abuse on the global ACK throttling rate-limit on a
target host. Through a series of step, the attacker can send spoofed
packets to the target host, affect the the global challenge ACK rate-
limiter, count the number of challenge ACK received, and finally
compare that number with the target system limit.
The attacker can then gather clues about: the existence of a 4-tuple
connection, the next expected sequence number, and the expected ACK
number.
Based on the gathered information, the attacker can mount connection
reset attacks and data injection attacks. Those attacks have been
demonstrated to work in real-world constraints according to [CBR01].
1.1. Terminology
Challenge ACK in this document denotes the ACK packet sent in
response to an segment whose RST bit is set and the sequence number
Velvindron Expires March 15, 2019 [Page 2]
Internet-Draft Handling of TCP ACK throttling September 2018
does not fully match the next expected sequence value, but is within
the current receive window as defined in [RFC5961].
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in [RFC2119].
2. Recommendation for ACK throttling mechanism
An implementation SHOULD have a per-socket ACK throttling mechanism
which is not shared across the system. This makes it more difficult
to abuse compared to having a single (global) ACK throttling
mechanism. Additionally, an implementation may also introduce a
randomized value to the interval defined in Section 7 of [RFC5961].
This makes the attacks defined in section 1 much more difficult.
3. Operations
It will take time to update all of the TCP implementations that fully
implement the ACK throttling mechanism as described in [RFC5961].
An operator can increase the value of the ACK throttling limit to the
highest value possible to mitigate the risk of the vulnerabilities
defined in section 1.
4. IANA Considerations
None of the proposed measures have an impact on IANA.
5. Security Considerations
The purpose of this document is to document security improvements to
the ACK throttling mechanism and also how an operator can mitigate
side channel vulnerabilities. Specific examples of those
vulnerabilities can be found in [CBR01]. In particular, the ACK
throttling mechanism leads to a side-channel vulnerability that can
be leveraged for connection reset and data injection attacks. A
description of this functionality can be found in section 1.
6. Normative References
[CBR01] Cao, Y., Wang, Z., Dao, T., Krishnamurthy, S., and L.
Marvel, "Off-Path TCP Exploits: Global Rate Limit
Considered Dangerous", University of California , 2016.
Velvindron Expires March 15, 2019 [Page 3]
Internet-Draft Handling of TCP ACK throttling September 2018
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
Robustness to Blind In-Window Attacks", RFC 5961,
DOI 10.17487/RFC5961, August 2010,
<https://www.rfc-editor.org/info/rfc5961>.
Author's Address
Loganaden Velvindron
88 Avenue De Plevitz Roches Brunes
Rose Hill 71259
Mauritius
Phone: +230 59762817
Email: loganaden@gmail.com
Velvindron Expires March 15, 2019 [Page 4]