As mentioned in issue #1449, rather than blocking all traffic from all port, we should simply blocking the tools used for reflection attacks. This PR removes the global block, and instead:
use the RETRY process to validate IP addresses if an Initial packet is received from a suspicious port.
does not respond with Version Negotiation if an Initial packet is received from a suspicious port.
does not respond with Stateless Reset if a 1RTT packet is received from an unknown CID on a suspicious port.
does not create new paths if PATH CHALLENGE packets or natted packets are received from a suspicious port
does not heed "prefered address" suggestions if they are directed to a suspicious port.
This does not entirely close #1449, because we still have to deal with excess traffic in response to new path creation.
As mentioned in issue #1449, rather than blocking all traffic from all port, we should simply blocking the tools used for reflection attacks. This PR removes the global block, and instead:
This does not entirely close #1449, because we still have to deal with excess traffic in response to new path creation.