Security Attacks Found Against the Stream Control Transmission Protocol (SCTP) and Current Countermeasures
RFC 5062
Network Working Group R. Stewart
Request for Comments: 5062 Cisco Systems, Inc.
Category: Informational M. Tuexen
Muenster Univ. of Applied Sciences
G. Camarillo
Ericsson
September 2007
Security Attacks Found Against
the Stream Control Transmission Protocol (SCTP)
and Current Countermeasures
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
This document describes certain security threats to SCTP. It also
describes ways to mitigate these threats, in particular by using
techniques from the SCTP Specification Errata and Issues memo (RFC
4460). These techniques are included in RFC 4960, which obsoletes
RFC 2960. It is hoped that this information will provide some useful
background information for many of the newest requirements spelled
out in the SCTP Specification Errata and Issues and included in RFC
4960.
Stewart, et al. Informational [Page 1]
RFC 5062 SCTP Security Attacks September 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Address Camping or Stealing . . . . . . . . . . . . . . . . . 2
3. Association Hijacking 1 . . . . . . . . . . . . . . . . . . . 3
4. Association Hijacking 2 . . . . . . . . . . . . . . . . . . . 6
5. Bombing Attack (Amplification) 1 . . . . . . . . . . . . . . . 7
6. Bombing Attack (Amplification) 2 . . . . . . . . . . . . . . . 9
7. Association Redirection . . . . . . . . . . . . . . . . . . . 10
8. Bombing Attack (Amplification) 3 . . . . . . . . . . . . . . . 10
9. Bombing Attack (Amplification) 4 . . . . . . . . . . . . . . . 11
10. Bombing Attack (amplification) 5 . . . . . . . . . . . . . . . 11
11. Security Considerations . . . . . . . . . . . . . . . . . . . 12
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
Stream Control Transmission Protocol, originally defined in
[RFC2960], is a multi-homed transport protocol. As such, unique
security threats exists that are addressed in various ways within the
protocol itself. This document describes certain security threats to
SCTP. It also describes ways to mitigate these threats, in
particular by using techniques from the SCTP Specification Errata and
Issues memo [RFC4460]. These techniques are included in [RFC4960],
which obsoletes [RFC2960]. It is hoped that this information will
provide some useful background information for many of the newest
requirements spelled out in the [RFC4460] and included in [RFC4960].
This work and some of the changes that went into [RFC4460] and
[RFC4960] are much indebted to the paper on potential SCTP security
risks [EFFECTS] by Aura, Nikander, and Camarillo. Without their
work, some of these changes would remain undocumented and potential
threats.
The rest of this document will concentrate on the various attacks
that were illustrated in [EFFECTS] and detail the preventative
measures now in place, if any, within the current SCTP standards.
2. Address Camping or Stealing
This attack is a form of denial of service attack crafted around
SCTP's multi-homing. In effect, an illegitimate endpoint connects to
a server and "camps upon" or "holds up" a valid peer's address. This
is done to prevent the legitimate peer from communicating with the
server.
Stewart, et al. Informational [Page 2]
RFC 5062 SCTP Security Attacks September 2007
2.1. Attack Details
+----------+ +----------+ +----------+
| Evil | | Server | | Client |
| IP-A=+------------+ +-----------+=IP-C & D |
| Attacker | | | | Victim |
+----------+ +----------+ +----------+
Figure 1: Camping
Consider the scenario illustrated in Figure 1. The attacker
legitimately holds IP-A and wishes to prevent the 'Client-Victim'
from communicating with the 'Server'. Note also that the client is
multi-homed. The attacker first guesses the port number our client
will use in its association attempt. It then uses this port and sets
up an association with the server listing not only IP-A but also IP-C
in its initial INIT chunk. The server will respond and set up the
Show full document text