-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DoS in Discovery Handler #2458
Comments
jsdanielh
added a commit
that referenced
this issue
May 9, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it does't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 9, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
3 tasks
jsdanielh
added a commit
that referenced
this issue
May 9, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 10, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 15, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 15, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 16, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 17, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 20, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 22, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 22, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 22, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 27, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 27, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 30, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 30, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 30, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
jsdanielh
added a commit
that referenced
this issue
May 30, 2024
Add timeout for the state transition in the discovery handler such that a peer don't hold us in a state indefinitely if it doesn't send us back a message we expect. This fixes #2458.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Link: https://hackerone.com/reports/2463319
Date: 2024-04-15 08:36:39 UTC
By: d0nut
Weakness: HTTP DoS
Details:
Summary
A malicious peer could wait until a victim peer entered the
HandlerState::ReceiveHandshakeAck
(or a few other handler states) and stop responding, leaving the client in a state where it perpetually waits for the next part of the handshake. This is because there is no timeout on connections during the handshake, leading to a Denial of Service scenario.(Ignore the selected weakness - no standard "Denial of Service" weakness existed for some reason).
File reference:
network-libp2p/src/discovery/handler.rs
Line: 477
Recommendation
Add a timeout on the discovery handler handshake that fails the handshake after a period of time.
Impact
A malicious peer could intentionally stall out victim peers
The text was updated successfully, but these errors were encountered: