Factorio Forums

As of right now, when a client sends a connection request to a server, the server sends a large number of packets back to the client. Due to the connection being UDP, this could potentially be used to perform a DDOS amplification attack. Here's how it works:

1. An attacker sends a connection request to the server. The attacker spoofs their IP address in the internet layer of the packet.
2. The Factorio server receives the packet, and sends a number of response packet types, including ConnectionReplyMessage, ConnectionAcceptMessage, and HeartbeatGroupMessages.
3. The target receives all the packets being sent from the factorio server.

The major problem here is with the HeartbeatGroup messages. In my testing (no mods, 12.33), I found that around 600 messages, each with a size of about 116 bytes. The ConnectionRequestMessage that was sent to the server totaled about 100 bytes. This means that the amplification is almost 700 times what I sent the server. To put that in perspective, a NTP amplification attack generally has a gain of around 70 times. Considering the upcoming server browser feature, factorio servers could very easily be used to completely annihilate a server or internet connection.

The fix to this is extremely simple. The server simply needs to validate that the IP it received the ConnectionRequest from is a valid client. To do this, after the server receives the first ConnectionRequest message, it needs to reply with a very small confirmation message. If the client responds to that small confirmation message, then the server can freely send whatever information it needs to the client.

Well now. Came here from the reddit thread thinking it would be a security thing. But a DDoS, that is pretty bad in of itself. With all the botnet farming going on lately... if this is in-fact accurate, factorio servers would be a great asset to add in. That amplification...

They really do need to look into this.

I found that so important, that I moved it to bugs (even knowing, that it isn't a bug).

Thanks ssilk. I can provide more information, write a script to do this, or test to see if the bug still exists in .13 if you like.

Important indeed!

solidDoWant wrote:Thanks ssilk. I can provide more information, write a script to do this, or test to see if the bug still exists in .13 if you like.

Just wait for the devs-responses to this (you can turn on to recive notification, you know). I'm just the herald.

Possible solution would be to establish a handshake with the client instead of assuming it is good. Client sends a single packet out, server sends a single packet in reply, client replies to that packet, server starts sending tons of packets to the client. If the client isn't an actual Factorio game, it probably won't reply to the packet the server sends, or if it does, the server can hopefully see the packet isn't the expected response.

Possible solution would be to establish a handshake with the client instead of assuming it is good. Client sends a single packet out, server sends a single packet in reply, client replies to that packet, server starts sending tons of packets to the client. If the client isn't an actual Factorio game, it probably won't reply to the packet the server sends, or if it does, the server can hopefully see the packet isn't the expected response.

Yep, that's essentially the fix I described in my OP.

The handshaking packet would have to have some sort of token attached so an attacker cannot just send a generic "handshake reply" packet.

Yep. The TCP handshake ( https://en.wikipedia.org/wiki/Handshaking ) would be extremely easy to implement and would solve the whole issue. Just need to get a dev to actually read this.

So it seems like their idea of UDP NAT punching in order to avoid using TCP has basically resulted in needing to re-implement much of TCP... except in UDP?
Oh NAT, will there be no end to your screwing up of the internet.
https://www.factorio.com/blog/post/fff-143
https://www.factorio.com/blog/post/fff-136

Yea, their protocol repeats a lot of what the TCP protocol uses. However this isn't necessarily a bad thing. They have, after all, cut down on the number of packets and number of bytes being sent between the client and server (compared to if they used TCP). The protocol just needs some more testing/bug fixing. A lot (most?) multiplayer games do the same thing. That being said, the benefits of using UDP instead of TCP and some bugs similar to this one are kind of canceling each other out. The protocol needs a lot more work in terms of bug fixing and optimization.

As for NAT, there really wouldn't be an internet (as we know if) without NAT. Without it there isn't wouldn't be a way of getting two separate networks (IE Internet and your local network) to communicate. It's an essential part of network routing.

Yes, so it is fixed in 0.14