top | item 38047129

(no title)

> Any time you have a UDP-based protocol where a small packet to the server results in a large packet from the server will be exploited

In other news, water is wet.

Seriously folks, if you don't already know this you shouldn't be designing any protocols. Datagram or stream-based.

> That's one reason for the TCP three-way handshake.

And its horrendous latency.

All of the mitigations for that open up resource exhaustion attacks; frying pan, meet fire.

There's no free lunch. Datagram protocols are not going away.

discuss

wmf|2 years ago

I just checked Beej's Guide and there's no mention of amplification. I wouldn't be surprised if TCP/IP Illustrated doesn't teach it either. This means most people won't know about it and they won't know that they don't know.

The mitigation of requiring a "SYN" style packet to be MTU-sized sounds pretty good to me. It obviously uses a little more bandwidth but the network may be underutilized on the upstream path anyway.

10000truths|2 years ago

> I just checked Beej's Guide and there's no mention of amplification. I wouldn't be surprised if TCP/IP Illustrated doesn't teach it either. This means most people won't know about it and they won't know that they don't know.

The issue isn't a lack of understanding of networking, it's a lack of understanding of the threat model.

d-z-m|2 years ago

> Seriously folks, if you don't already know this you shouldn't be designing any protocols. Datagram or stream-based.

I find this kind of gatekeeping distasteful. Knowing about various ways network protocols can be exploited is important, but this can be communicated without trampling curiosity.