de7af720d6
This a fix for an attack vector where the discovery protocol could be used to amplify traffic in a DDOS attack. A malicious actor would send a findnode request with the IP address and UDP port of the target as the source address. The recipient of the findnode packet would then send a neighbors packet (which is 16x the size of findnode) to the victim. Our solution is to require a 'bond' with the sender of findnode. If no bond exists, the findnode packet is not processed. A bond between nodes α and β is created when α replies to a ping from β. This (initial) version of the bonding implementation might still be vulnerable against replay attacks during the expiration time window. We will add stricter source address validation later. |
||
---|---|---|
.. | ||
discover | ||
nat | ||
handshake_test.go | ||
handshake.go | ||
message_test.go | ||
message.go | ||
peer_error.go | ||
peer_test.go | ||
peer.go | ||
protocol.go | ||
rlpx_test.go | ||
rlpx.go | ||
server_test.go | ||
server.go | ||
testlog_test.go |