Internet Denial-of-Service Considerations
RFC 4732
Document Type RFC - Informational (December 2006; No errata)
Last updated 2015-10-14
Stream IAB
Formats plain text html pdf htmlized bibtex
Stream IAB state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
Email authors IPR References Referenced by Nits 
Network Working Group                                    M. Handley, Ed.
Request for Comments: 4732                                           UCL
Category: Informational                                 E. Rescorla, Ed.
                                                       Network Resonance
                                             Internet Architecture Board
                                                                     IAB
                                                           November 2006

               Internet Denial-of-Service Considerations

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2006).

Abstract

   This document provides an overview of possible avenues for denial-
   of-service (DoS) attack on Internet systems.  The aim is to encourage
   protocol designers and network engineers towards designs that are
   more robust.  We discuss partial solutions that reduce the
   effectiveness of attacks, and how some solutions might inadvertently
   open up alternative vulnerabilities.

Handley, et al.              Informational                      [Page 1]
RFC 4732                   DoS Considerations              November 2006

Table of Contents

   1. Introduction ....................................................3
   2. An Overview of Denial-of-Service Threats ........................4
      2.1. DoS Attacks on End-Systems .................................4
           2.1.1. Exploiting Poor Software Quality ....................4
           2.1.2. Application Resource Exhaustion .....................5
           2.1.3. Operating System Resource Exhaustion ................6
           2.1.4. Triggered Lockouts and Quota Exhaustion .............7
      2.2. DoS Attacks on Routers .....................................8
           2.2.1. Attacks on Routers through Routing Protocols ........8
           2.2.2. IP Multicast-based DoS Attacks ......................9
           2.2.3. Attacks on Router Forwarding Engines ...............10
      2.3. Attacks on Ongoing Communications .........................11
      2.4. Attacks Using the Victim's Own Resources ..................12
      2.5. DoS Attacks on Local Hosts or Infrastructure ..............12
      2.6. DoS Attacks on Sites through DNS ..........................15
      2.7. DoS Attacks on Links ......................................16
      2.8. DoS Attacks on Firewalls ..................................17
      2.9. DoS Attacks on IDS Systems ................................18
      2.10. DoS Attacks on or via NTP ................................18
      2.11. Physical DoS .............................................18
      2.12. Social Engineering DoS ...................................19
      2.13. Legal DoS ................................................19
      2.14. Spam and Black-Hole Lists ................................19
   3. Attack Amplifiers ..............................................20
      3.1. Methods of Attack Amplification ...........................20
      3.2. Strategies to Mitigate Attack Amplification ...............22
   4. DoS Mitigation Strategies ......................................22
      4.1. Protocol Design ...........................................23
           4.1.1. Don't Hold State for Unverified Hosts ..............23
           4.1.2. Make It Hard to Simulate a Legitimate User .........23
           4.1.3. Graceful Routing Degradation .......................24
           4.1.4. Autoconfiguration and Authentication ...............24
      4.2. Network Design and Configuration ..........................25
           4.2.1. Redundancy and Distributed Service .................25
           4.2.2. Authenticate Routing Adjacencies ...................25
           4.2.3. Isolate Router-to-Router Traffic ...................26
      4.3. Router Implementation Issues ..............................26
           4.3.1. Checking Protocol Syntax and Semantics .............26
           4.3.2. Consistency Checks .................................27
           4.3.3. Enhance Router Robustness through
                  Operational Adjustments ............................28
           4.3.4. Proper Handling of Router Resource Exhaustion ......28
      4.4. End-System Implementation Issues ..........................29
           4.4.1. State Lookup Complexity ............................29
           4.4.2. Operational Issues .................................30
   5. Conclusions ....................................................30

Handley, et al.              Informational                      [Page 2]
RFC 4732                   DoS Considerations              November 2006

   6. Security Considerations ........................................31
   7. Acknowledgements ...............................................31
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools