CS262A Reading Summary 29

TCP Congestion Control with a Misbehaving Receiver

S. Savage et al.
Summary by Feng Zhou
11/7/2002

1. TCP is designed with the assumption that all parties are cooperative. Three vulnerabilities of TCP congestion control are pointed out by the authors. They are all related to one fact that there is no way to verify the authenticity of ACK packets, which are used both to measure RTT and detect possible congestion in the protocol.
2. By modifying TCP implementation in Linux, the authors demenstrated that these three attacks actually work in real-world.
3. A fix is proposed, which adding two fields into the TPC packet format, namely Nonce and Nonce reply. They are used to ensure the validity of ACK packets. More generally, the priciples proposed in the paper can be applied to any protocol design. Simply put, there should be ways to verify the validity of packets received from other parties.

The proposed fix to the problem requires changes to TCP packet format, which isn't realistic given the scale of deployment. The desirable fix should only change the sender TCP implement to be able defeat these attacks. The first two vulnerabilities, ACK division and DupACK, can probably be fixed by changing the sender's TCP implementations. The third one, Optimistic ACKing, is harder to defeat. One possible way is to detect the attack by premature ACKs, i.e. those that ACKes unsent data.