Handling of TCP ACK throttling
draft-lvelvindron-ack-throttling-03

Document Type Active Internet-Draft (individual)
Last updated 2018-09-11
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                      L. Velvindron
Internet-Draft                                        September 11, 2018
Intended status: Informational
Expires: March 15, 2019

                     Handling of TCP ACK throttling
                  draft-lvelvindron-ack-throttling-03

Abstract

   The functionality provided by the TCP ACK throttling mechanism can be
   exploited as a side channel vulnerablity to terminate connections
   between two arbitrary hosts and inject data in the communication
   stream.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 15, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Velvindron               Expires March 15, 2019                 [Page 1]
Internet-Draft       Handling of TCP ACK throttling       September 2018

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Recommendation for ACK throttling mechanism . . . . . . . . .   3
   3.  Operations  . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   6.  Normative References  . . . . . . . . . . . . . . . . . . . .   3
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   4

1.  Introduction

   [RFC5961] defines the challenge ACK response mechanism as a technique
   to mitigate against blind in-window attacks.  Specifically, an ACK
   packet is sent in response to an incoming segment with a SYN bit to
   confirm that the preceding connection was lost.  Another case is
   sending an ACK packet if the RST packet is received but the sequence
   number does not match the next expected sequence number.  Lastly, to
   prevent data injection, the range of valid ACK value is reduced for
   better strictness, so the likelihood of old ACK values and very new
   ACK values are discarded.  In all of those cases, the ACK packet is
   referrered to as a "Challenge ACK" through the rest of this document.

   [RFC5961] also introduces an ACK throttling mechanism to reduce
   possible wastage of CPU and bandwidth resources by limiting the
   number of challenge ACK that can be sent in a given interval.

   An attacker can leverage the Challenge ACK and the ACK throttling
   mechanism to abuse on the global ACK throttling rate-limit on a
   target host.  Through a series of step, the attacker can send spoofed
   packets to the target host, affect the the global challenge ACK rate-
   limiter, count the number of challenge ACK received, and finally
   compare that number with the target system limit.

   The attacker can then gather clues about: the existence of a 4-tuple
   connection, the next expected sequence number, and the expected ACK
   number.

   Based on the gathered information, the attacker can mount connection
   reset attacks and data injection attacks.  Those attacks have been
   demonstrated to work in real-world constraints according to [CBR01].

1.1.  Terminology

   Challenge ACK in this document denotes the ACK packet sent in
   response to an segment whose RST bit is set and the sequence number

Velvindron               Expires March 15, 2019                 [Page 2]
Internet-Draft       Handling of TCP ACK throttling       September 2018

   does not fully match the next expected sequence value, but is within
   the current receive window as defined in [RFC5961].

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
Show full document text