On Mon, 6 Oct 2003 Valdis.Kletnieks@vt.edu wrote:
The problem with a 'kiss-o-death' packet is that it needs to be authenticated. Otherwise, you can use spoofed packets to DoS somebody. How many lines are in your root-DNS hints? And even if we insist on the KoD packet having the query ID in it, that's a TINY address space. I can even feed you spam to force you to hit the DNS, trickle you some forged KoD packets, and within a day or so make you refuse to talk to any of the root nameservers... (Note that TCP connections are a lot more easily dealt with, as the 3-packet handshake adds a lot to the security. However, Wesel's numbers on "98% of the root DNS traffic is bogus" indicate that we really need this on the UDP side of the fence as well....)
That's why I mentioned the 4-way handshake, and the need for it in many different protocols. Its authenticated based on the end-to-end communication, but not on a higher authority (e.g. PKI). Man in the middle attacks exist, but MITM could disrupt the communications anyway. Phase I Send IP packet -> <- ICMP GoAway + nonce + header&64 bytes of packet Match sent IP packet? No -> Ignore Duplicate -> Ignore (i.e. received a reply from the "real" host) Yes -> Sender is now informed of the possible problem Phase II The next phase could be TCP, UDP, SSL, whatever. I made it ICMP for simplicity. In phase II the source (or edge or firewall) confirms the intention/desire of the destination host to drop the unwanted packets. Send ICMP Block + nonce + header&64 bytes of ICMP GoAway -> Match sent ICMP GoAway? No -> Reply no block Yes -> Reply with block code <- ICMP Block Reply + header&64 bytes of ICMP Block Code (no block, host, protocol, port, source) Match sent ICMP Block? No -> Ignore Yes No block -> Ignore Block host, protocol, port or source -> Locally respond to future packets to host/protocol/port/source as Destination Unreachable Set dampening timer, remove block when expires