Re: KINK user-user scenario

[Michael Thomas <mat@xxxxxxxxx>]

Derek Atkins writes:
 > Luckily this wont affect the app-server, necessarily.  Do we throw out
 > any existing SA's in the process?  (I would suggest that the answer is
 > 'no'.)  

   Because of an unauthenticated request? I'd say "heavens no" :-)

 > I would also think that we would need to have some level of
 > request limiting so an attacker can't repeatedly bounce tons of
 > messages off a single app-client.

   Sure... this is true of every protocol which is subject
   to DoS attacks... which is every protocol, I suspect.
   The question I have is whether we need to be explicit
   here, or whether we could just point to a BCP-like
   document which outlines general strategies for
   coping with and/or narrowing DoS opportunities.

 > However you can still get a distributed attack against the KDC,
 > because an attacker can build a single "fake" packet and send it to
 > all the app-clients it can find.  Then all those app-clients will
 > blindly request out to the KDC.

   Yes. This is the thing that really bothers
   me. A single well placed attacker could flood
   its n-B-T ethernet segment with U-U kinds of 
   requests to high fan out gateways and slag an
   entire farm of KDC's. Since it's not coming from a
   point source, it makes it very hard to defend
   as well as trace back.

	      Mike