Handling CTM DDoS (ADC + NMDC)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
DC++ |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Buggy hubs can be exploited, or malicious hub admins can initiate connection DDoS of servers by sending CTM messages to many users at a high rate. This problem has been ongoing for the past couple of years, and it is hard to deal with, since it is hard to figure out *who* is initiating the attack.
So I suggest, when a client connects to another client it will send the address of the hub (hub[:port] for NMDC or adc[s]://host:port for ADC). The address should be the same address as the client used to connect to the hub initially, so it does not have to be resolved to IP (hostname is fine).
Anyway, this can be done as simple protocol extension which should not break backwards compatiblity for any sane client in any way. It is imperative that this information is among the first bytes send, and do not require the receiving host to reply in some specific way to obtain the information. For this reason this should be sent as part of the SUP or $Supports message for the connecting client.
Example:
For ADC:
Currently, connecting client sends:
CSUP ADBASE (...)
Change it to also send a referrer:
CSUP ADBASE (...) RFadc:/
For NMDC:
Currently, connecting client sends:
$MyNick Dj_Offset|$Supports (...)|$Lock (...)
Change it to also send a referrer:
$MyNick Dj_Offset|$Supports (...) Ref=hub.
Only NMDC clients and ADC clients are affected by this change, and the transitions are two phased:
Phase 1: Ensure the extended SUP or $Support messages are accepted and do not cause the connection to be torn down (basically, just ignore RF-flag in ADC for a SUP, and "Ref=" for NMDC).
Phase 2: Make sure the client sends the Referer in the supports message. When receiving one, also ignore it like phase 1.
Conclusion:
* DDoS attacked hosts can now inspect incoming requests to pinpoint which hub(s) are assisting in the attack.
* This information can still be obtained even if not all clients have the extension.
* Fully backwards compatible extension, does not require anything for existing clients
* Simple implementation, little required for full compliance.
Changed in dcplusplus: | |
status: | New → In Progress |
Changed in dcplusplus: | |
status: | In Progress → Fix Committed |
Changed in dcplusplus: | |
status: | Fix Committed → Fix Released |
great idea :)
But hub port should not be used as Ref because one hub can use multiple ports. And result can be that 2 users on the same hub can actually use 2 different ports for same hub