Opened 6 years ago

Closed 6 years ago

#1528 closed defect (duplicate)

Mitigate amplification attacks via SSU

Reported by: str4d Owned by: zzz
Priority: minor Milestone: undecided
Component: router/transport Version: 0.9.19
Keywords: ssu Cc:
Parent Tickets: Sensitive: no


Reported by Yawning in #tor-dev:

<Yawning> *looks at the ssu source for lols*
<Yawning> was wondering if it changed recently
<Yawning> wondering if I can turn i2p into a gigantic botnet still
<str4d> Leveraging the SSU transport? That would be the first I've heard of such a vector.
<Yawning> y'all should rate limit SessionCreated
<Yawning> I told someone about this :/
<Yawning> my understanding of the code may be too shallow
* str4d isn't the dev that works on SSU tho, so probably missed it
<Yawning> basically, send a ton of valid session created messages with a spoofed source ip
<Yawning> and abuse the fact that the signature gives you amplification of the response size
<Yawning> though y'all now support ecc so it's not as good as it used to be
<Yawning> if you want to fix it there's a few ways to
<Yawning> using a 4 way handshake would be what I would do if I were the one fixing it
<str4d> Hmm, I can't find any ticket mentioning it. Do you know who it was you told?
<Yawning> no, was a while ago
<str4d> Then I'm unsurprised it would fall through the cracks, tickets are really the only way we remember things :P
<Yawning> nb: my understanding of the code is not deep so it may infact be doing rate limiting
<Yawning> hidden in a tiny java routine somwhere
<str4d> Would not surprise me, we have limits all over the place
<Yawning> it'd be worth noting in the spec that implementations SHOULD implement mitigations for such things
<str4d> mmm
<str4d> There is an open ticket for implementing transport-layer replay prevention (, but this would be slightly different.
<Yawning> yeah, cus what I'd do is randomize the nonce each time
<Yawning> if I were designing something like SSU2, I'd probably knock off SCTP's 4 way handshake as well
<Yawning> where cookie/cookie echo is the current 2 way handshake with an extra field
* goatandsheep has quit (Quit: Page closed)
<Yawning> basically, refusing to send the session created till the initiator proves it can receive traffic from the address it claims to be sitting on
<str4d> Yeah, that's what NTCP does
<Yawning> use something like HMAC-whatever over X | size | IP addr as the cookie or something
<Yawning> so the cookie sent back is tiny


Change History (1)

comment:1 Changed 6 years ago by str4d

Resolution: duplicate
Status: newclosed

Accidental duplicate of #1527 thanks to network churn.

Note: See TracTickets for help on using tickets.