DoS in Discovery Handler #2458
Comments
jsdanielh
added a commit
that referenced
this issue
May 9, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it does't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 9, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
3 tasks
jsdanielh
added a commit
that referenced
this issue
May 9, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 10, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 15, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 15, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 16, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 17, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 20, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 22, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 22, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 22, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 27, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 27, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 30, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 30, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 30, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 30, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Link: https://hackerone.com/reports/2463319
Date: 2024-04-15 08:36:39 UTC
By: d0nut
Weakness: HTTP DoS
Details:
Summary
A malicious peer could wait until a victim peer entered the
HandlerState::ReceiveHandshakeAck(or a few other handler states) and stop responding, leaving the client in a state where it perpetually waits for the next part of the handshake. This is because there is no timeout on connections during the handshake, leading to a Denial of Service scenario.(Ignore the selected weakness - no standard "Denial of Service" weakness existed for some reason).
File reference:
network-libp2p/src/discovery/handler.rsLine: 477
Recommendation
Add a timeout on the discovery handler handshake that fails the handshake after a period of time.
Impact
A malicious peer could intentionally stall out victim peers
The text was updated successfully, but these errors were encountered: