Preventing CTM attacks
Posted: 05 Jan 2009, 15:34
It is possible to carry out a CTM flood attack by a rogue hub or a rouge user on a buggy hub. This type of attack is hard to prevent, but we can perhaps make it evident that it is happening, and also perhaps provide information about who is performing the attack (pinpoint hub).
It is essential that the client performing the connection will send the hub reference initially, so that this can be logged by the attacker. Unfortunately this breaks the protocol somewhat, but nothing big.
In ADC:
Today, the client receives a CTM via hub, and tries to connect to the address and then send the initial handshake:
"CSUP ADBASE (...)"
Proposed change:
Add flag "RF" (Reference) to the SUP command.
Example:
"CSUP ADBASE (...) RFadc://hub.example.com:1234"
Result: the attacked party can if necessary figure out which hub(s) are causing the CTMs by looking at incoming packets.
In NMDC:
Today, client connect and send:
$MyNick <nick>|$Supports (...)|$Lock
Proposed:
$MyNick <nick>|$Supports (...)|$Ref dchub://hub.example.com:1234|$Lock
(Bonus; can even make the NMDC protocol a bit clearer).
Anyway, this is a trivial change for ADC clients, they simply need to accept another flag while parsing the CSUP message, and do not need to verify it (silent ignore).
In order to support it fully, the client also needs to set the RF-flag to point to the hub address whenever a CTM is received.
Even if not all clients does this. It will be evident to the attacked party which hub is generating the CTMs so that further actions can be taken against the hubs in question.
Comments?
It is essential that the client performing the connection will send the hub reference initially, so that this can be logged by the attacker. Unfortunately this breaks the protocol somewhat, but nothing big.
In ADC:
Today, the client receives a CTM via hub, and tries to connect to the address and then send the initial handshake:
"CSUP ADBASE (...)"
Proposed change:
Add flag "RF" (Reference) to the SUP command.
Example:
"CSUP ADBASE (...) RFadc://hub.example.com:1234"
Result: the attacked party can if necessary figure out which hub(s) are causing the CTMs by looking at incoming packets.
In NMDC:
Today, client connect and send:
$MyNick <nick>|$Supports (...)|$Lock
Proposed:
$MyNick <nick>|$Supports (...)|$Ref dchub://hub.example.com:1234|$Lock
(Bonus; can even make the NMDC protocol a bit clearer).
Anyway, this is a trivial change for ADC clients, they simply need to accept another flag while parsing the CSUP message, and do not need to verify it (silent ignore).
In order to support it fully, the client also needs to set the RF-flag to point to the hub address whenever a CTM is received.
Even if not all clients does this. It will be evident to the attacked party which hub is generating the CTMs so that further actions can be taken against the hubs in question.
Comments?