{"id":1626,"date":"2012-01-01T13:16:14","date_gmt":"2012-01-01T03:16:14","guid":{"rendered":"http:\/\/www.somethinkodd.com\/oddthinking\/?p=1626"},"modified":"2012-01-01T13:16:14","modified_gmt":"2012-01-01T03:16:14","slug":"happy-new-year-protocol-dos-vulnerability","status":"publish","type":"post","link":"https:\/\/www.somethinkodd.com\/oddthinking\/2012\/01\/01\/happy-new-year-protocol-dos-vulnerability\/","title":{"rendered":"Happy-New-Year protocol DOS vulnerability"},"content":{"rendered":"<h3>Protocol Description<\/h3>\n<p>Through observation and experimentation last night, I determined the following elements of the Happy New Year protocol.<\/p>\n<p>The protocol is initiated by one peer, who pings &#8220;Happy New Year!&#8221; This may be sent single-cast to another individual, multi-cast to a group or broadcast by shouting it out aloud.<\/p>\n<p>Peers who receive this message <a href=\"http:\/\/www.ietf.org\/rfc\/rfc2119.txt\">SHOULD<\/a> respond back to the sender, with an acknowledgement message, viz &#8220;Happy New Year!&#8221;<\/p>\n<p>It may be that no responses are received.<\/p>\n<h3>Protocol Analysis<\/h3>\n<p>There are a number of simple flaws in this protocol.<\/p>\n<ul>\n<li>The chief flaw is that the SYN and ACK packets are identical and lacking any unique identifiers. For example, rather than yelling &#8220;SYN Message 9162: Happy New Year&#8221; and receiving the response &#8220;ACK Message 9162&#8221;, the call-response is &#8220;Happy New Year&#8221;, &#8220;Happy New Year&#8221;.<\/li>\n<li>The expected response time is not stated in the standard, and may vary between implementations.<\/li>\n<li>There is no digital signing of the message nor any other secure channel specified, making authentication difficult or impossible.<\/li>\n<\/ul>\n<h3>Result: Race Condition<\/h3>\n<p>As a result, a race condition may occur, leading to a denial of service attack.<\/p>\n<p>Consider Alice broadcasting an initial &#8220;Happy New Year!&#8221; message. She waits for 4 seconds, and times out, considering the protocol handshake to be completed.<\/p>\n<p>Meanwhile, Bob has received the message, during an alcohol-induced fail-over period, and takes 5 seconds before standing up and single-casting &#8220;Happy New Year!&#8221; back to Alice.<\/p>\n<p>Alice hears the response <em>as an initiation request<\/em>, and responds promptly &#8220;Happy New Year!&#8221;<\/p>\n<p>Bob likewise responds to what he believes is an initial packet &#8220;Happy New Year!&#8221;<\/p>\n<p>The two are now stuck in an infinite loop, each believing they are politely responding to the others initiation, and wondering when the other will stop.<\/p>\n<h3>Result: Vulnerability<\/h3>\n<p>Worse, this introduces a vulnerability. Charlie can deliberately whisper &#8220;Happy New Year!&#8221; into Alice&#8217;s ear, in Bob&#8217;s accent, and both resources will be permanently tied up until they pass out.<\/p>\n<h3>Conclusion<\/h3>\n<p>The protocol should be patched to include serial numbers and robust authentication. We only have a year to get this in place before the malicious hackers may put on a full-scale attack.<\/p>\n<p>The old protocol should be immediately deprecated &#8211; if someone says &#8220;Happy New Year!&#8221; to you, reply only with &#8220;Ack: Happy New Year 20120101000305.19232 G8l0+aIjsSjUpE~lzAo9-TP&#8221; &#8211; i.e.  with a timestamp (or preferably a unique key provided by the sender) and a hash of the message encrypted with your private key.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Wishing someone a Happy New Year may subject you to a Denial-of-Service Attack<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"yes","footnotes":""},"categories":[28,30,27],"tags":[],"class_list":["post-1626","post","type-post","status-publish","format-standard","hentry","category-doubleplus-geek","category-humour","category-thoughts-from-the-shower"],"_links":{"self":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/1626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/comments?post=1626"}],"version-history":[{"count":2,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/1626\/revisions"}],"predecessor-version":[{"id":1628,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/1626\/revisions\/1628"}],"wp:attachment":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/media?parent=1626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/categories?post=1626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/tags?post=1626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}