[OTR-users] OTR loop DOS attack

Ian Goldberg ian at cypherpunks.ca
Mon Jul 25 21:44:31 EDT 2005


On Mon, Jul 25, 2005 at 04:45:20PM -0700, Ken Restivo wrote:
> It might be good if the opportunistic encryption somehow could
> recognise an echo of its own request, and just disregard it and go
> into unencrypted mode.

libotr in fact *does* recognize echoes of its own Key Exchange Messages.
You should see a message somewhere saying "We are receiving our own OTR
messages.  You are either trying to talk to yourself, or someone is
reflecting your messages back at you."  When it recognizes this, it
doesn't reply with another Key Exchange Message, so things should stop
there.

What messages keep getting sent back and forth?

> I don't know whether this vulnerability is in Adium, with the OTR
> protocol. It's obviously more annoying than dangerous, but I suppose
> it could be put to nefarious ends as well.

Note that we don't in general try to protect against DoS attacks, since
we can't.  But I'm still not clear on what exactly is going on here.
Can you send me a log?

Thanks,

   - Ian



More information about the OTR-users mailing list