[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: KINK user-user scenario
Jonathan Trostle writes:
> Kerberos is vulnerable to these types of DoS attacks already. For example,
> an attacker can create a delegated request targetted at himself with a
> bogus krb creds inside and then send that out in multiple delegated request
> to 1000 servers which then try to authenticate to the KDC using the bogus
> krb creds.
> I'm not convinced we should go to a lot of work to try to prevent these
> types of attacks, because we will only be able to give some improvement to
> a few cases instead of all the cases. Some sort of IDS system would
> probably be needed to handle these types of attacks and might do an equally
> good job against all of them.
As currently instantiated in draft-ietf-kink-kink-00, this
DoS attack does not exist. Adding some sort of wakeup
mechanism explicitly allows the attack.
I'd say that these proposals go out their way to *allow*
the attack. That to my mind is bogus.