On Tue 2016-01-26 16:37:58 -0500, Salz, Rich wrote: > TFO is interesting because it lets UDP-style attacks happen at the TCP > level. Normally you can't do a TCP attack unless you have a valid > client IP address. > > Imagine connecting once and then sending the syncookie to the botnet.
This suggests that you have on-path capabilities between each of the reflectors and the victim, right? If you have on-path capabilities, couldn't you do a similar attack against a live TCP session? learn (or create) the sequence number of a TCP session between each of the reflectors and the target, and distribute them to the botnet? Then each member of the botnet sends out a TCP packet (sequence numbers augmented in some coordinated fashion) to the reflector that triggers an ACK (and even worse, a data flow) from the reflector to the victim. I've never done this, so maybe i've missed some mitigating detail, but it seems like the same risk with or without TFO. --dkg _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev