Security Attacks Found Against the Stream Control Transmission Protocol (SCTP) and Current Countermeasures
RFC 5062
Document Type RFC - Informational (September 2007; No errata)
Authors Gonzalo Camarillo  , Randall Stewart  , Michael Tüxen 
Last updated 2015-10-14
Replaces draft-stewart-tsvwg-sctpthreat
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5062 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Lars Eggert
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                         R. Stewart
Request for Comments: 5062                           Cisco Systems, Inc.
Category: Informational                                        M. Tuexen
                                      Muenster Univ. of Applied Sciences
                                                            G. Camarillo
                                                                Ericsson
                                                          September 2007

                    Security Attacks Found Against
            the Stream Control Transmission Protocol (SCTP)
                      and Current Countermeasures

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   This document describes certain security threats to SCTP.  It also
   describes ways to mitigate these threats, in particular by using
   techniques from the SCTP Specification Errata and Issues memo (RFC
   4460).  These techniques are included in RFC 4960, which obsoletes
   RFC 2960.  It is hoped that this information will provide some useful
   background information for many of the newest requirements spelled
   out in the SCTP Specification Errata and Issues and included in RFC
   4960.

Stewart, et al.              Informational                      [Page 1]
RFC 5062                 SCTP Security Attacks            September 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Address Camping or Stealing  . . . . . . . . . . . . . . . . .  2
   3.  Association Hijacking 1  . . . . . . . . . . . . . . . . . . .  3
   4.  Association Hijacking 2  . . . . . . . . . . . . . . . . . . .  6
   5.  Bombing Attack (Amplification) 1 . . . . . . . . . . . . . . .  7
   6.  Bombing Attack (Amplification) 2 . . . . . . . . . . . . . . .  9
   7.  Association Redirection  . . . . . . . . . . . . . . . . . . . 10
   8.  Bombing Attack (Amplification) 3 . . . . . . . . . . . . . . . 10
   9.  Bombing Attack (Amplification) 4 . . . . . . . . . . . . . . . 11
   10. Bombing Attack (amplification) 5 . . . . . . . . . . . . . . . 11
   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 12
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.  Introduction

   Stream Control Transmission Protocol, originally defined in
   [RFC2960], is a multi-homed transport protocol.  As such, unique
   security threats exists that are addressed in various ways within the
   protocol itself.  This document describes certain security threats to
   SCTP.  It also describes ways to mitigate these threats, in
   particular by using techniques from the SCTP Specification Errata and
   Issues memo [RFC4460].  These techniques are included in [RFC4960],
   which obsoletes [RFC2960].  It is hoped that this information will
   provide some useful background information for many of the newest
   requirements spelled out in the [RFC4460] and included in [RFC4960].

   This work and some of the changes that went into [RFC4460] and
   [RFC4960] are much indebted to the paper on potential SCTP security
   risks [EFFECTS] by Aura, Nikander, and Camarillo.  Without their
   work, some of these changes would remain undocumented and potential
   threats.

   The rest of this document will concentrate on the various attacks
   that were illustrated in [EFFECTS] and detail the preventative
   measures now in place, if any, within the current SCTP standards.

2.  Address Camping or Stealing

   This attack is a form of denial of service attack crafted around
   SCTP's multi-homing.  In effect, an illegitimate endpoint connects to
   a server and "camps upon" or "holds up" a valid peer's address.  This
   is done to prevent the legitimate peer from communicating with the
   server.

Stewart, et al.              Informational                      [Page 2]
RFC 5062                 SCTP Security Attacks            September 2007

2.1.  Attack Details

      +----------+            +----------+           +----------+
      | Evil     |            |  Server  |           | Client   |
      |     IP-A=+------------+          +-----------+=IP-C & D |
      | Attacker |            |          |           | Victim   |
      +----------+            +----------+           +----------+

                            Figure 1: Camping

   Consider the scenario illustrated in Figure 1.  The attacker
   legitimately holds IP-A and wishes to prevent the 'Client-Victim'
   from communicating with the 'Server'.  Note also that the client is
   multi-homed.  The attacker first guesses the port number our client
   will use in its association attempt.  It then uses this port and sets
   up an association with the server listing not only IP-A but also IP-C
   in its initial INIT chunk.  The server will respond and set up the
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools