Re: [IPsec] DDoS Protection issue #226 - Do we need puzzles at all?

[Nico Williams]

On Wed, Nov 26, 2014 at 08:10:35PM +, Graham Bartlett (grbartle) wrote:
> Great point. Puzzles a good tool that will be needed if/when ddos becomes
> a serious issue. (I can't think of a silver bullet which will solve this)

For VPN SGs using puzzles all the time would be fine, but for VPN
clients it'd be very rude to use them when acting as the responder!  The
protocol may be symmetric, but some uses aren't.

VPN clients probably don't talk to more than one SG at a time, so why
should they need puzzles at all?  For single-user VPN clients there's
not much of a DDoS problem.  Even for BITW uses...

For end-to-end IPsec using complex puzzles all the time would probably
not be useful at all, but using them as load goes up would be very
appropriate.

Responder load seems like a variable that always works for deciding when
to use puzzles and how complex they should be.  VPN clients generally
will never have too much IKE load, while SGs make tempting DDoS targets,
therefore SGs could definitely use puzzles when under attack.

Another variable worth using for determining puzzle complexity is the
responder's estimated cost of holding the half-open IK_SA and completing
the exchange.  For a protocol where the initiator can demonstrate having
recently been a productive peer there may be no need to make the
initiator spend a lot of time on puzzles -- no need to punish the
innocent parties, when you know who they are (but innocence is difficult
to determine).

> They should also not be mandatory (with the option to be configurable as
> per cookie notifications) as I would assume some hosts will never be able
> to support these.. 

Yes, but I'd rather we have a general recommendation with as simple a
configuration knob as possible and with a sensible default setting that
most will never need to change.  IKE load seems like the most sensible
variable to use in deciding when to use puzzles and how hard they should
be.

Specify the feature (puzzles) and provide general guidance as to when to
use it and how hard to make it on the initiator.

Nico
-- 

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] DDoS Protection issue #226 - Do we need puzzles at all?

[Graham Bartlett (grbartle)]

Great point. Puzzles a good tool that will be needed if/when ddos becomes
a serious issue. (I can't think of a silver bullet which will solve this)

They should also not be mandatory (with the option to be configurable as
per cookie notifications) as I would assume some hosts will never be able
to support these.. 


cheers

On 26/11/2014 20:02, "Nico Williams"  wrote:

>On Wed, Nov 26, 2014 at 02:01:22PM +0200, Yoav Nir wrote:
>> Puzzles limit the rate at which a particular host can create half-open
>> SAs. If the puzzle takes 2 seconds to solve then a particular
>> initiator (whether legitimate initiator, or a node in a bot-net) can
>> create at most 1 half-open SA every 2 seconds.
>> 
>> Another way to achieve the same goal is to limit the half-open SA
>> lifetime to 10 seconds and have a hard limit of 5 concurrent half-open
>> SAs per peer. Sure, the attacker will be able to open 5 half-open SAs
>> within one second, but will then be rejected for the next 9.
>> 
>> So why do I think we still need puzzles?
>
>I agree with your and Michael's points, but do recall that
>initiator/responder roles are exchangeable, and even when initiators are
>"clients" they might have to speak to many other responders.  Puzzles/
>puzzle complexity, seems like a good device for throttling half-open IKE
>SA creation when under load, but it might not be a good idea to have 2s
>puzzles on all the time.
>
>Nico
>-- 
>
>___
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec


smime.p7s
Description: S/MIME cryptographic signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-protection-00.txt

[Graham Bartlett (grbartle)]

Hi Yoav

Here's some words I penned regarding some ideas I had to compliment your
RFC.

cheers

RFC5685 describes the use of IKEv2 redirect to a client to another VPN
gateway. For large scale implementations this can be used to redirect a
client to a geographically closer gateway, thereby group clients by
location. Eg. A client in London will initially request a session to
vpn.example.com, based on the clients source IP address they are
redirected to the European VPN gateway (eu.vpn.example.com), which only
serves clients from Europe and prevents any non-European IP addresses
connecting. Using this method geographically grouped IP addresses can be
grouped to gateways, therefore preventing attackers not in the geographic
group from connecting. This obviously doesn't prevent attackers from
spoofing an IP address which would be accepted by the gateway. By limiting
clients by location, IP TTL security mechanisms can be employed to accept
certain connections from hosts a small number of hops away, therefore
assisting to mitigate an attack from hosts distributed over the globe.




On 27/10/2014 21:48, "internet-dra...@ietf.org" 
wrote:

>
>A New Internet-Draft is available from the on-line Internet-Drafts
>directories.
> This draft is a work item of the IP Security Maintenance and Extensions
>Working Group of the IETF.
>
>Title   : Protecting Internet Key Exchange (IKE)
>Implementations from Distributed Denial of Service Attacks
>Author  : Yoav Nir
>   Filename: draft-ietf-ipsecme-ddos-protection-00.txt
>   Pages   : 12
>   Date: 2014-10-27
>
>Abstract:
>   This document recommends implementation and configuration best
>   practices for Internet-connected IPsec Responders, to allow them to
>   resist Denial of Service and Distributed Denial of Service attacks.
>   Additionally, the document introduces a new mechanism called "Client
>   Puzzles" that help accomplish this task.
>
>
>The IETF datatracker status page for this draft is:
>https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ddos-protection/
>
>There's also a htmlized version available at:
>http://tools.ietf.org/html/draft-ietf-ipsecme-ddos-protection-00
>
>
>Please note that it may take a couple of minutes from the time of
>submission
>until the htmlized version and diff are available at tools.ietf.org.
>
>Internet-Drafts are also available by anonymous FTP at:
>ftp://ftp.ietf.org/internet-drafts/
>
>___
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec


smime.p7s
Description: S/MIME cryptographic signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] DDoS Protection issue #226 - Do we need puzzles at all?

[Nico Williams]

On Wed, Nov 26, 2014 at 02:01:22PM +0200, Yoav Nir wrote:
> Puzzles limit the rate at which a particular host can create half-open
> SAs. If the puzzle takes 2 seconds to solve then a particular
> initiator (whether legitimate initiator, or a node in a bot-net) can
> create at most 1 half-open SA every 2 seconds.
> 
> Another way to achieve the same goal is to limit the half-open SA
> lifetime to 10 seconds and have a hard limit of 5 concurrent half-open
> SAs per peer. Sure, the attacker will be able to open 5 half-open SAs
> within one second, but will then be rejected for the next 9.
> 
> So why do I think we still need puzzles?

I agree with your and Michael's points, but do recall that
initiator/responder roles are exchangeable, and even when initiators are
"clients" they might have to speak to many other responders.  Puzzles/
puzzle complexity, seems like a good device for throttling half-open IKE
SA creation when under load, but it might not be a good idea to have 2s
puzzles on all the time.

Nico
-- 

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] DDoS Protection issue #226 - Do we need puzzles at all?

[Yaron Sheffer]

I don't buy Yoav's argument but I also think puzzles should stay.

The reason is, puzzles work well in the case where a botnet is attacking 
multiple gateways concurrently. Each gateway can rate-limit the traffic 
directed to it, but unless we associate a significant cost with each 
message, the botnet is as effective against each of the gateways as it 
would be if it was only attacking a single gateway. With puzzles, the 
"good guys" are helping one another without needing to communicate 
between them.


Thanks,
Yaron

On 11/26/2014 06:46 PM, Michael Richardson wrote:


Yoav Nir  wrote:
 > I don’t like hard limits. Hard limits allow a very easy form of DoS. If
 > everyone in this hotel is behind a single NAT device, then it’s fairly
 > easy for me to create multiple half-open SAs from my room until I hit
 > the hard limit. After that, everyone will be effectively blocked from

Except now apply CGN in a IPv4-address poor country, and it's not just the
people in the hotel, it's potentially everyone in that area.  Given 300-odd
well distributed, compromised hosts, one could keep the half-SA table full
for much of the  developing world...

So I buy your argument.



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] DDoS Protection issue #226 - Do we need puzzles at all?

[Michael Richardson]

Yoav Nir  wrote:
> I don’t like hard limits. Hard limits allow a very easy form of DoS. If
> everyone in this hotel is behind a single NAT device, then it’s fairly
> easy for me to create multiple half-open SAs from my room until I hit
> the hard limit. After that, everyone will be effectively blocked from

Except now apply CGN in a IPv4-address poor country, and it's not just the
people in the hotel, it's potentially everyone in that area.  Given 300-odd
well distributed, compromised hosts, one could keep the half-SA table full
for much of the  developing world...

So I buy your argument.

-- 
Michael Richardson , Sandelman Software Works
 -= IPv6 IoT consulting =-





pgpH58tKnxa9S.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] DDoS Protection issue #226 - Do we need puzzles at all?

[Yoav Nir]

http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/226 


Hi.

I think this one we should get out of the way first.

Puzzles limit the rate at which a particular host can create half-open SAs. If 
the puzzle takes 2 seconds to solve then a particular initiator (whether 
legitimate initiator, or a node in a bot-net) can create at most 1 half-open SA 
every 2 seconds.

Another way to achieve the same goal is to limit the half-open SA lifetime to 
10 seconds and have a hard limit of 5 concurrent half-open SAs per peer. Sure, 
the attacker will be able to open 5 half-open SAs within one second, but will 
then be rejected for the next 9.

So why do I think we still need puzzles?

I don’t like hard limits. Hard limits allow a very easy form of DoS. If 
everyone in this hotel is behind a single NAT device, then it’s fairly easy for 
me to create multiple half-open SAs from my room until I hit the hard limit. 
After that, everyone will be effectively blocked from initiating. So while this 
is not a “nobody can connect to victim gateway” attack, it is “nobody in this 
hotel can connect to victim gateway”.  Soft limits are better. With soft limits 
you start dishing out puzzles when you reach a certain threshold, and you never 
completely block.

That’s why I think puzzles should stay.

Yoav___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec