forked from cerc-io/plugeth
de7af720d6
This a fix for an attack vector where the discovery protocol could be used to amplify traffic in a DDOS attack. A malicious actor would send a findnode request with the IP address and UDP port of the target as the source address. The recipient of the findnode packet would then send a neighbors packet (which is 16x the size of findnode) to the victim. Our solution is to require a 'bond' with the sender of findnode. If no bond exists, the findnode packet is not processed. A bond between nodes α and β is created when α replies to a ping from β. This (initial) version of the bonding implementation might still be vulnerable against replay attacks during the expiration time window. We will add stricter source address validation later. |
||
|---|---|---|
| .. | ||
| discover | ||
| nat | ||
| handshake_test.go | ||
| handshake.go | ||
| message_test.go | ||
| message.go | ||
| peer_error.go | ||
| peer_test.go | ||
| peer.go | ||
| protocol.go | ||
| rlpx_test.go | ||
| rlpx.go | ||
| server_test.go | ||
| server.go | ||
| testlog_test.go | ||