On Wed, Jan 27, 2016 at 07:20:04PM +0000, Salz, Rich wrote: > > Please explain. The traffic can only come from the party who initially > > obtains > > the cookie in a full round-trip. How does the botnet DoS some third party > > with this? > > Attacker wants to bring down an akamai host. They connect to one of our > servers with the fast-open option and get the cookie. They then spread > that cookie all over the internet and zillions of bots connect.
The connections need to be from the attacker's original IP address that obtained the cookie. > Our server > spawns zillions of threads and starts to do some work, or the TCP queue > fills up. I can't filter on IP address to stop the attack because the > client IP address is bogus. The client IP address is not entirely "bogus", it is the IP address of the client that obtained the cookie, otherwise the cookie is not valid. Block sending cookies to sources whose cookies are abused. Also note that the TFO queue length is limited, and most requests will require a full round-trips when the request volume is high. Anyway, this is not the right forum for TFO threat analysis that has nothing to do with SSL. We should add client-side support for TFO. -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev