Closed atoulme closed 3 years ago
Hey, thank your for submitting this report! We asked the Teku team to take a look, and will be reviewing it ourselves soon. And maybe @jrhea is interested as well, he tried things to a similar effect on Teku (many discv5 things, also @mkalinin), and I am not sure if there is any overlap in the attacks.
CC @Nashatyrev
Hey, thank your for submitting this report! We asked the Teku team to take a look, and will be reviewing it ourselves soon. And maybe @jrhea is interested as well, he tried things to a similar effect on Teku (many discv5 things, also @mkalinin), and I am not sure if there is any overlap in the attacks.
Oh...this is good. At a glance, it seems to be functionally equivalent to one of the attacks I disclosed privately.
@atoulme, why did you select 46 bytes? i think i know why, but i'm curious as to your rationale. Also, what does your payload look like? If the payload is random, then i think @Nashatyrev has a PR in the Discovery repo that will sidestep this by validating that the auth-tag field is valid RLP; however, that is not an effective fix for this vulnerability bc one could easily craft a packet like this: 01010101010101010101010101010101010101010101010101010101010101018c020202020202020202020202
that would have the same effect.
@mkalinin and I were going to bring up the topic of how to mitigate these types of attacks in tomorrow's networking call. iirc @mkalinin added it to the agenda.
Per spec, random packets are 32 bytes + 12 bytes, and then 44 bytes of randomness. It doesn't look like Teku checks for the 44 bytes presence, just need a couple bytes additionally. But mostly by trying things out. I did get some good results with empty packets as well, but 46 bytes completely overwhelms Teku much faster.
I did get some good results with empty packets as well, but 46 bytes completely overwhelms Teku much faster.
This is good to know. That is consistent with my (somewhat foggy) recollection of the things I tried.
Wandering if this is still the case with the fix https://github.com/PegaSysEng/discovery/pull/70
I can generate valid RANDOM packets instead and get the same results. It's a bit harder as the packet is longer, so the cost of the attack goes up.
@atoulme can you share the version of Teku you are experimenting with?
I'm just trying this attack with the latest version (with some Discovery attack fixes) and even 10000 packets (tried both random and valid) sent within ~4sec and don't see any catastrophic impact
Another question: did you change default (INFO
) log level to DEBUG
?
I used the scripts/run.sh
script to run, only changing the default config.yaml
file to turn discovery on.
I used the latest master. Let me know when you have a build I can try out.
@atoulme can you please try the latest master?
This one is merged https://github.com/PegaSysEng/discovery/pull/70 and should at least harden the attack
Is that fix in discovery in teku? Do you want me to try the latest discovery master or the latest teku master?
OK, from the latest master, it looks like Teku is able to take it. Good job!
Sorry for the delay. Thank you @atoulme! This qualifies for the $5k reward tier.
Can you reach out to me at eth2bounty@ethereum.org to get payment setup?
Also, note that this program is recently be deprecated in favor of the eth2bounty program. It should encompass any of the issues you might have found here and more. Current rewards are up to $50k! Happy bug hunting
Description
Random UDP packets of 46 bytes, sent over multiple UDP source ports, take down Teku.
Attack scenario
Note: I could not peer with the attacknet, and not sure which nodes are Teku. I ran locally the attack using the
scripts/run.sh
script from Teku. I turned on discovery with Teku and attacked the UDP port by sending simultaneously 1000 UDP packets from 1000 local ports. Each packet is generated in advance and picked randomly out of 100 prepared 46 bytes long messages, so it's hard for Teku to recognize incoming traffic. Teku depletes quickly its available RAM and falls behind on validators, eventually even losing peers. The attack takes less than 10 seconds and may be amplified as a DDOS as needed.Impact
The nodes lose all peers and run out of memory.
Details
See screenshot of the attack.