[openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jan 27 19:32:07 UTC 2016
On Wed, Jan 27, 2016 at 07:20:04PM +0000, Salz, Rich wrote:
> > Please explain. The traffic can only come from the party who initially obtains
> > the cookie in a full round-trip. How does the botnet DoS some third party
> > with this?
>
> Attacker wants to bring down an akamai host. They connect to one of our
> servers with the fast-open option and get the cookie. They then spread
> that cookie all over the internet and zillions of bots connect.
The connections need to be from the attacker's original IP address that
obtained the cookie.
> Our server
> spawns zillions of threads and starts to do some work, or the TCP queue
> fills up. I can't filter on IP address to stop the attack because the
> client IP address is bogus.
The client IP address is not entirely "bogus", it is the IP address
of the client that obtained the cookie, otherwise the cookie is
not valid. Block sending cookies to sources whose cookies are
abused.
Also note that the TFO queue length is limited, and most requests
will require a full round-trips when the request volume is high.
Anyway, this is not the right forum for TFO threat analysis that
has nothing to do with SSL. We should add client-side support
for TFO.
--
Viktor.
More information about the openssl-dev
mailing list