[Network Protocol] Connection brokering potential DDOS
-
- Burner Inserter
- Posts: 12
- Joined: Thu Jun 02, 2016 6:26 pm
- Contact:
[Network Protocol] Connection brokering potential DDOS
As of right now, when a client sends a connection request to a server, the server sends a large number of packets back to the client. Due to the connection being UDP, this could potentially be used to perform a DDOS amplification attack. Here's how it works:
1. An attacker sends a connection request to the server. The attacker spoofs their IP address in the internet layer of the packet.
2. The Factorio server receives the packet, and sends a number of response packet types, including ConnectionReplyMessage, ConnectionAcceptMessage, and HeartbeatGroupMessages.
3. The target receives all the packets being sent from the factorio server.
The major problem here is with the HeartbeatGroup messages. In my testing (no mods, 12.33), I found that around 600 messages, each with a size of about 116 bytes. The ConnectionRequestMessage that was sent to the server totaled about 100 bytes. This means that the amplification is almost 700 times what I sent the server. To put that in perspective, a NTP amplification attack generally has a gain of around 70 times. Considering the upcoming server browser feature, factorio servers could very easily be used to completely annihilate a server or internet connection.
The fix to this is extremely simple. The server simply needs to validate that the IP it received the ConnectionRequest from is a valid client. To do this, after the server receives the first ConnectionRequest message, it needs to reply with a very small confirmation message. If the client responds to that small confirmation message, then the server can freely send whatever information it needs to the client.
1. An attacker sends a connection request to the server. The attacker spoofs their IP address in the internet layer of the packet.
2. The Factorio server receives the packet, and sends a number of response packet types, including ConnectionReplyMessage, ConnectionAcceptMessage, and HeartbeatGroupMessages.
3. The target receives all the packets being sent from the factorio server.
The major problem here is with the HeartbeatGroup messages. In my testing (no mods, 12.33), I found that around 600 messages, each with a size of about 116 bytes. The ConnectionRequestMessage that was sent to the server totaled about 100 bytes. This means that the amplification is almost 700 times what I sent the server. To put that in perspective, a NTP amplification attack generally has a gain of around 70 times. Considering the upcoming server browser feature, factorio servers could very easily be used to completely annihilate a server or internet connection.
The fix to this is extremely simple. The server simply needs to validate that the IP it received the ConnectionRequest from is a valid client. To do this, after the server receives the first ConnectionRequest message, it needs to reply with a very small confirmation message. If the client responds to that small confirmation message, then the server can freely send whatever information it needs to the client.
Re: [Network Protocol] Connection brokering potential DDOS
Well now. Came here from the reddit thread thinking it would be a security thing. But a DDoS, that is pretty bad in of itself. With all the botnet farming going on lately... if this is in-fact accurate, factorio servers would be a great asset to add in. That amplification...
They really do need to look into this.
They really do need to look into this.
Re: [Network Protocol] Connection brokering potential DDOS
I found that so important, that I moved it to bugs (even knowing, that it isn't a bug).
Cool suggestion: Eatable MOUSE-pointers.
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
-
- Burner Inserter
- Posts: 12
- Joined: Thu Jun 02, 2016 6:26 pm
- Contact:
Re: [Network Protocol] Connection brokering potential DDOS
Thanks ssilk. I can provide more information, write a script to do this, or test to see if the bug still exists in .13 if you like.
Re: [Network Protocol] Connection brokering potential DDOS
Important indeed!
Hosting a factorio server? Take a look at this || init script ||.
Re: [Network Protocol] Connection brokering potential DDOS
Just wait for the devs-responses to this (you can turn on to recive notification, you know). I'm just the herald.solidDoWant wrote:Thanks ssilk. I can provide more information, write a script to do this, or test to see if the bug still exists in .13 if you like.
Cool suggestion: Eatable MOUSE-pointers.
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
- TruePikachu
- Filter Inserter
- Posts: 978
- Joined: Sat Apr 09, 2016 8:39 pm
- Contact:
Re: [Network Protocol] Connection brokering potential DDOS
Possible solution would be to establish a handshake with the client instead of assuming it is good. Client sends a single packet out, server sends a single packet in reply, client replies to that packet, server starts sending tons of packets to the client. If the client isn't an actual Factorio game, it probably won't reply to the packet the server sends, or if it does, the server can hopefully see the packet isn't the expected response.
-
- Burner Inserter
- Posts: 12
- Joined: Thu Jun 02, 2016 6:26 pm
- Contact:
Re: [Network Protocol] Connection brokering potential DDOS
Yep, that's essentially the fix I described in my OP.Possible solution would be to establish a handshake with the client instead of assuming it is good. Client sends a single packet out, server sends a single packet in reply, client replies to that packet, server starts sending tons of packets to the client. If the client isn't an actual Factorio game, it probably won't reply to the packet the server sends, or if it does, the server can hopefully see the packet isn't the expected response.
-
- Fast Inserter
- Posts: 207
- Joined: Thu Jun 04, 2015 12:20 am
- Contact:
Re: [Network Protocol] Connection brokering potential DDOS
The handshaking packet would have to have some sort of token attached so an attacker cannot just send a generic "handshake reply" packet.
-
- Burner Inserter
- Posts: 12
- Joined: Thu Jun 02, 2016 6:26 pm
- Contact:
Re: [Network Protocol] Connection brokering potential DDOS
Yep. The TCP handshake ( https://en.wikipedia.org/wiki/Handshaking ) would be extremely easy to implement and would solve the whole issue. Just need to get a dev to actually read this.
Re: [Network Protocol] Connection brokering potential DDOS
So it seems like their idea of UDP NAT punching in order to avoid using TCP has basically resulted in needing to re-implement much of TCP... except in UDP?
Oh NAT, will there be no end to your screwing up of the internet.
https://www.factorio.com/blog/post/fff-143
https://www.factorio.com/blog/post/fff-136
Oh NAT, will there be no end to your screwing up of the internet.
https://www.factorio.com/blog/post/fff-143
https://www.factorio.com/blog/post/fff-136
-
- Burner Inserter
- Posts: 12
- Joined: Thu Jun 02, 2016 6:26 pm
- Contact:
Re: [Network Protocol] Connection brokering potential DDOS
Yea, their protocol repeats a lot of what the TCP protocol uses. However this isn't necessarily a bad thing. They have, after all, cut down on the number of packets and number of bytes being sent between the client and server (compared to if they used TCP). The protocol just needs some more testing/bug fixing. A lot (most?) multiplayer games do the same thing. That being said, the benefits of using UDP instead of TCP and some bugs similar to this one are kind of canceling each other out. The protocol needs a lot more work in terms of bug fixing and optimization.
As for NAT, there really wouldn't be an internet (as we know if) without NAT. Without it there isn't wouldn't be a way of getting two separate networks (IE Internet and your local network) to communicate. It's an essential part of network routing.
As for NAT, there really wouldn't be an internet (as we know if) without NAT. Without it there isn't wouldn't be a way of getting two separate networks (IE Internet and your local network) to communicate. It's an essential part of network routing.
Re: [Network Protocol] Connection brokering potential DDOS
Yes, so it is fixed in 0.14