Data Alignment and Memory Accesses

IBM’s developerworks has an article on data alignment and these are some of the facts worth noting:

  • Some processors completely lack the support for unaligned data access.
  • Complex hardware jugglary is needed to support unaligned data access.
  • Some processors trap to CPU on such accesses (PPC does so for 64-bit floating point access) and the OS does the labor to load the register with proper data.
  • Whether they support or not, I guess the address bus that runs from CPU to memory just does not contain the lower “n” address bits depending on the memory access granularity.
  • PPC does support 32-bit unaligned data access.
  • Aligned memory access is a must for atomicity purposes. Failing to do so, could lead to synchronization problems and corruption. Can this aligned memory spawn across two pages? Is it possible?

On Flooding Attacks and its Mitigation

BCP38 talks about flooding attacks and some simple ways of mitigating them. First it explains, how an attacker can target victims:

  1. by inundating a server with so many syn requests
  2. by spoofing the address of a legitimate host thereby causing the host to be black listed
  3. by inundating more than one host with syn-ack packets by spoofing IP addresses.

1 and 3 are somewhat related. The BCP (Best Current Practices) says that if routers have a very simple rule at their end to:

  • Allow traffic originating from its known prefixes (i.e. SA of all the traffic is from known prefixes), then forward as usual
  • Drop all the remaining traffic

then most of the source IP spoofing attacks can be mitigated. The DDoS attack of type 1 (mentioned above) can still happen, but since the source IP address cannot be spoofed or can be spoofed only to a limited extent (in the allowed range of prefixes), it will be easier to track down the source of attack. This “ingress traffic filtering” is best implemented at the edge routers of Internet.

A Nonce to Mitigate DDoS Attacs

Cloudflare, hosting many customers, has handled many DDoS attacks. Sometime ago, there was DNS amplification attacks, now there is an NTP amplification DDoS attack. It so happens, there are two essential conditions for such an amplification attacks to happen:

  • A large reply in response to a very small request – this allows the attacker to have a small set of hosts with only so much bandwidth to trigger a very large attack on the target.
  • Source IP address spoofing. This allows an attacker to send requests from packets, apparently from the target, there by effectively re-directing all the responses to the target.

One of the fixes suggested to guard against IP address spoofing attacks is a nonce, briefly described here. If I understand it correctly, it necessitates a client to resend a nonce (a random value) sent to it as part of the reply so that further replies can be sent. If the nonce is not received (when the receiver is not interested in the reply), further replies are not sent. This will at least, mitigate the amplification effect, if not the total DDoS attack altogether.

Going forward, for protocol designers, there is a lesson to be learnt: make sure your reply for a response does not motivate a DDoS attack.