[Network Protocol] Connection brokering potential DDOS

This subforum contains all the issues which we already resolved.
solidDoWant
Burner Inserter
Burner Inserter
Posts: 12
Joined: Thu Jun 02, 2016 6:26 pm
Contact:

[Network Protocol] Connection brokering potential DDOS

Post by solidDoWant »

As of right now, when a client sends a connection request to a server, the server sends a large number of packets back to the client. Due to the connection being UDP, this could potentially be used to perform a DDOS amplification attack. Here's how it works:

1. An attacker sends a connection request to the server. The attacker spoofs their IP address in the internet layer of the packet.
2. The Factorio server receives the packet, and sends a number of response packet types, including ConnectionReplyMessage, ConnectionAcceptMessage, and HeartbeatGroupMessages.
3. The target receives all the packets being sent from the factorio server.

The major problem here is with the HeartbeatGroup messages. In my testing (no mods, 12.33), I found that around 600 messages, each with a size of about 116 bytes. The ConnectionRequestMessage that was sent to the server totaled about 100 bytes. This means that the amplification is almost 700 times what I sent the server. To put that in perspective, a NTP amplification attack generally has a gain of around 70 times. Considering the upcoming server browser feature, factorio servers could very easily be used to completely annihilate a server or internet connection.

The fix to this is extremely simple. The server simply needs to validate that the IP it received the ConnectionRequest from is a valid client. To do this, after the server receives the first ConnectionRequest message, it needs to reply with a very small confirmation message. If the client responds to that small confirmation message, then the server can freely send whatever information it needs to the client.
Sakata
Burner Inserter
Burner Inserter
Posts: 18
Joined: Tue Apr 05, 2016 11:34 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by Sakata »

Well now. Came here from the reddit thread thinking it would be a security thing. But a DDoS, that is pretty bad in of itself. With all the botnet farming going on lately... if this is in-fact accurate, factorio servers would be a great asset to add in. That amplification...

They really do need to look into this.
User avatar
ssilk
Global Moderator
Global Moderator
Posts: 12889
Joined: Tue Apr 16, 2013 10:35 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by ssilk »

I found that so important, that I moved it to bugs (even knowing, that it isn't a bug).
Cool suggestion: Eatable MOUSE-pointers.
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
solidDoWant
Burner Inserter
Burner Inserter
Posts: 12
Joined: Thu Jun 02, 2016 6:26 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by solidDoWant »

Thanks ssilk. I can provide more information, write a script to do this, or test to see if the bug still exists in .13 if you like.
Bisa
Filter Inserter
Filter Inserter
Posts: 450
Joined: Fri Jul 17, 2015 3:22 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by Bisa »

Important indeed! :shock:
Hosting a factorio server? Take a look at this || init script ||.
User avatar
ssilk
Global Moderator
Global Moderator
Posts: 12889
Joined: Tue Apr 16, 2013 10:35 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by ssilk »

solidDoWant wrote:Thanks ssilk. I can provide more information, write a script to do this, or test to see if the bug still exists in .13 if you like.
Just wait for the devs-responses to this (you can turn on to recive notification, you know). :) I'm just the herald. :)
Cool suggestion: Eatable MOUSE-pointers.
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
User avatar
TruePikachu
Filter Inserter
Filter Inserter
Posts: 978
Joined: Sat Apr 09, 2016 8:39 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by TruePikachu »

Possible solution would be to establish a handshake with the client instead of assuming it is good. Client sends a single packet out, server sends a single packet in reply, client replies to that packet, server starts sending tons of packets to the client. If the client isn't an actual Factorio game, it probably won't reply to the packet the server sends, or if it does, the server can hopefully see the packet isn't the expected response.
solidDoWant
Burner Inserter
Burner Inserter
Posts: 12
Joined: Thu Jun 02, 2016 6:26 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by solidDoWant »

Possible solution would be to establish a handshake with the client instead of assuming it is good. Client sends a single packet out, server sends a single packet in reply, client replies to that packet, server starts sending tons of packets to the client. If the client isn't an actual Factorio game, it probably won't reply to the packet the server sends, or if it does, the server can hopefully see the packet isn't the expected response.
Yep, that's essentially the fix I described in my OP.
chris13524
Fast Inserter
Fast Inserter
Posts: 207
Joined: Thu Jun 04, 2015 12:20 am
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by chris13524 »

The handshaking packet would have to have some sort of token attached so an attacker cannot just send a generic "handshake reply" packet.
solidDoWant
Burner Inserter
Burner Inserter
Posts: 12
Joined: Thu Jun 02, 2016 6:26 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by solidDoWant »

Yep. The TCP handshake ( https://en.wikipedia.org/wiki/Handshaking ) would be extremely easy to implement and would solve the whole issue. Just need to get a dev to actually read this.
ixnorp
Inserter
Inserter
Posts: 48
Joined: Mon Jun 27, 2016 11:06 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by ixnorp »

So it seems like their idea of UDP NAT punching in order to avoid using TCP has basically resulted in needing to re-implement much of TCP... except in UDP?
Oh NAT, will there be no end to your screwing up of the internet.
https://www.factorio.com/blog/post/fff-143
https://www.factorio.com/blog/post/fff-136
solidDoWant
Burner Inserter
Burner Inserter
Posts: 12
Joined: Thu Jun 02, 2016 6:26 pm
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by solidDoWant »

Yea, their protocol repeats a lot of what the TCP protocol uses. However this isn't necessarily a bad thing. They have, after all, cut down on the number of packets and number of bytes being sent between the client and server (compared to if they used TCP). The protocol just needs some more testing/bug fixing. A lot (most?) multiplayer games do the same thing. That being said, the benefits of using UDP instead of TCP and some bugs similar to this one are kind of canceling each other out. The protocol needs a lot more work in terms of bug fixing and optimization.

As for NAT, there really wouldn't be an internet (as we know if) without NAT. Without it there isn't wouldn't be a way of getting two separate networks (IE Internet and your local network) to communicate. It's an essential part of network routing.
kovarex
Factorio Staff
Factorio Staff
Posts: 8207
Joined: Wed Feb 06, 2013 12:00 am
Contact:

Re: [Network Protocol] Connection brokering potential DDOS

Post by kovarex »

Yes, so it is fixed in 0.14
Post Reply

Return to “Resolved Problems and Bugs”