[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KINK user-user scenario

Jonathan Trostle writes:
 > Kerberos is vulnerable to these types of DoS attacks already. For example,
 > an attacker can create a delegated request targetted at himself with a
 > bogus krb creds inside and then send that out in multiple delegated request
 > to 1000 servers which then try to authenticate to the KDC using the bogus
 > krb creds.
 > I'm not convinced we should go to a lot of work to try to prevent these
 > types of attacks, because we will only be able to give some improvement to
 > a few cases instead of all the cases. Some sort of IDS system would
 > probably be needed to handle these types of attacks and might do an equally
 > good job against all of them. 

   As currently instantiated in draft-ietf-kink-kink-00, this
   DoS attack does not exist. Adding some sort of wakeup 
   mechanism explicitly allows the attack. 

   I'd say that these proposals go out their way to *allow*
   the attack. That to my mind is bogus.