The Stream Control Transmission Protocol (SCTP) is inherently vulnerable to optimistic Selective Acknowledgement (SACK) spoofing. We highlight a threat scenario in which this vulnerability is exploited for the generation of sustained and powerful Denial-of-Service attack flood over the Internet. We identify and analyze a fundamental design limitation in SCTP that leads to the above mentioned vulnerability and propose a novel acknowledgement generation scheme, called Data Enriched SACK (DESACK), to make SCTP robust against optimistic SACK spoofing. We present the design and implementation details of DESACK. The proposed scheme is experimentally implemented, tested and integrated into the SCTP framework in the Linux Kernel. We also provide real-world experimental results to demonstrate the feasibility and effectiveness of DESACK on a highly loaded multi-hop production network.

• 出版日期2014-12