New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a description of stream commitment attacks in security section #445
Changes from 1 commit
c4cad2f
12dd1f5
464a222
ddefb66
105e26e
693758b
a169a17
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2699,46 +2699,44 @@ packets with ACK frames. | |
|
||
## Stream commitment attack | ||
|
||
An adversarial client may try to use the | ||
An adversarial client may try to use the | ||
stream creation process to open a large | ||
number of streams and induce the server to | ||
number of streams and induce the server to | ||
commit memory resource for the various | ||
streams. The adversarial client, or clients, would repeat the process on a | ||
streams. The adversarial client, or clients, would repeat the process on a | ||
large number of connections, in an attempt to exhaust the server memory. This | ||
attack is in some ways similar to SYN flooding attack in TCP, in which the | ||
attackers try to exhaust a server memory by creating a large number of half | ||
attackers try to exhaust a server memory by creating a large number of half | ||
open TCP connections. It is less potent than the SYN flooding attack, since | ||
stream creation is much lighter weight than the creation of TCP-IP connections, | ||
and stream control data presumably requires less | ||
and stream control data presumably requires less | ||
memory resource than a TCP protocol | ||
control block. However, the attack can be amplified if the adversarial | ||
client can open multiple streams with a single message. | ||
|
||
Normally, clients will open streams sequentially, | ||
as explained in {{stream-identifiers}}. | ||
Normally, clients will open streams sequentially, | ||
as explained in {{stream-identifiers}}. | ||
However, when several streams are initiated at short intervals, | ||
transmission error may cause STREAM DATA frames opening streams to be | ||
received out of sequence. Some implementations will have provisions to | ||
received out of sequence. Some implementations will have provisions to | ||
open all intermediate streams in case of out-of-sequence arrival. For example, | ||
a server that receive STREAM DATA for streams 3 and then 9 may decide to | ||
open stream 5 and 7 immediately. An adversarial client | ||
open stream 5 and 7 immediately. An adversarial client | ||
would for example exploit that | ||
design by sending STREAM DATA for streams 3 and the 2,000,001, causing the | ||
design by sending STREAM DATA for streams 3 and the 2,000,001, causing the | ||
server to open 1 million connections, and contributing to server resource | ||
exhaustion. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually, this is much easier: a receiver is obligated to open intervening streams if a higher-numbered stream ID is received. Thus, on a new connection, opening stream 2000001 opens 1 million streams, as required by the specification. The stream concurrency limit protects against this sort of attack. |
||
|
||
The number of active streams is limited | ||
by the concurrent stream limit transport | ||
parameter, as explained in {{stream-concurrency}}. | ||
If chosen judisciously, this limit | ||
mitigates the effect of the stream commitment attack. | ||
The number of active streams is limited | ||
by the concurrent stream limit transport | ||
parameter, as explained in {{stream-concurrency}}. | ||
If chosen judisciously, this limit | ||
mitigates the effect of the stream commitment attack. | ||
However, setting the limit | ||
too low could affect performance when | ||
too low could affect performance when | ||
applications expect to open large number | ||
of streams. | ||
|
||
|
||
|
||
# IANA Considerations | ||
|
||
## QUIC Transport Parameter Registry {#iana-transport-parameters} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Title Case Headings are the Convention