[OTR-users] OTR loop DOS attack

[Ken Restivo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jul 25, 2005 at 09:44:31PM -0400, Ian Goldberg wrote:
> On Mon, Jul 25, 2005 at 04:45:20PM -0700, Ken Restivo wrote:
> > It might be good if the opportunistic encryption somehow could
> > recognise an echo of its own request, and just disregard it and go
> > into unencrypted mode.
> 
> libotr in fact *does* recognize echoes of its own Key Exchange Messages.
> You should see a message somewhere saying "We are receiving our own OTR
> messages.  You are either trying to talk to yourself, or someone is
> reflecting your messages back at you."  When it recognizes this, it
> doesn't reply with another Key Exchange Message, so things should stop
> there.
> 

That is in fact what it said. But, yet, it keeps on attempting to re-send an OTR message to the bot; I don't know what exactly.

This was during a presence subscription exchange too; the bot automatically subscribes anyone who asks it. I don't know if that's significant.

> What messages keep getting sent back and forth?
> 

It's an SSL channel, and I wasn't logging it.

> > I don't know whether this vulnerability is in Adium, with the OTR
> > protocol. It's obviously more annoying than dangerous, but I suppose
> > it could be put to nefarious ends as well.
> 
> Note that we don't in general try to protect against DoS attacks, since
> we can't.  But I'm still not clear on what exactly is going on here.
> Can you send me a log?
> 

If I can get one from the user who experienced this lock-up, I will forward it.

What I might do is send along a simplified bit of code for the bot, and let you-all have a look. I suspect you could get a lot farther troubleshooting this than I ever would.

- -ken
- -- 
- ---------------
The world's most affordable web hosting.
http://www.nearlyfreespeech.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC5ZrRe8HF+6xeOIcRAis+AJ9mxgXKBZDHVRXtryAjxlg9BSVOHQCfRki0
vsDZ38HdBdK3fLoHBuc+5kE=
=gNek
-----END PGP SIGNATURE-----