UDP reflection amplification attack #1001
Labels
Comments
|
Thank you for the analysis. Our instance was used for this kind of attack already. |
|
Alchiadus, Thank you for discovering it. It is OpenVPN original protocol's vulnerability. I have an idea to address this protocol vulnerability. How you you think about this idea? |
|
@dnobori, yes, that sounds reasonable. |
|
Good, good, I am willing to implement the above solution. |
|
I think that would work. I tried to test what would happen if SoftEther were not to send the With the proposed change, SoftEther will still continue to transmit one |
I suppose that the above behavior is not a problem. It doesn't behave as amplifier. |
dnobori
pushed a commit
to dnobori/SoftEtherVPN
that referenced
this issue
Oct 22, 2019
|
Fixed in #1014. |
|
Thank you for the quick response and fix. |
|
Please kindly test it. |
|
I can confirm the fix addresses the amplification issue: after sending a |
Andy2244
added a commit
to Andy2244/openwrt-extra
that referenced
this issue
Nov 26, 2019
* 5.01.9672 release * Cedar: handle UDP acceleration and R-UDP versions * Mayaqua: implement R-UDP version 2, powered by ChaCha20-Poly1305 * Cedar: implement UDP acceleration version 2, powered by ChaCha20-Poly1305 * Cedar: serve new web management interface * Cedar: implement detailed protocol info * Mayaqua: add Windows Server 2019 to the supported operating systems list * Cedar: various fixes * Cedar: add "DisableIPsecAggressiveMode" option * Make install dir for unit files configurable * Protocol.c: adapt ClientConnectGetSocket() for new proxy functions * Wpc.c: adapt WpcSockConnectEx() for new proxy functions * Protocol: add ProxyCodeToCedar() * Move generic proxy stuff from Cedar to Mayaqua * Proto_OpenVPN.c: improve OvsProcessData(), fix out-of-bounds access found by Coverity * Proto_OpenVPN.c: fix segmentation fault in OvsProceccRecvPacket() * Addressing the UDP reflection amplification attack: SoftEtherVPN/SoftEtherVPN#1001 * Mayaqua.h: include <stdarg.h> for "va_list" on Illumos * Protocol.c: fix bug in ClientConnectGetSocket() causing custom HTTP header not to work * Mayaqua: move HTTP functions from "Network" to "HTTP" * Move GetMimeTypeFromFileName() and related structure to Mayaqua * Mayaqua.h: include <stdio.h> for "FILE" * Mayaqua.h: include <stddef.h>, for "wchar_t" * Bump mixin-deep in /src/bin/hamcore/wwwroot/admin/default * - Fixed the problem occurs when RPC messages between Cluster Members exceed 64Kbytes. - Fixed the RADIUS PEAP client to use the standard TLS versioning. - Implementation of a function to fix the MAC address of L3 VPN protocol by entering e.g. "MAC: 112233445566" in the "Notes" field of the user information. - Implementation of a function to fix the virtual MAC address to be assigned to the L3 VPN client as a string attribute from RADIUS server when authentication. * Updating built-in Win32 libraries - OpenSSL 1.1.1 -> 1.1.1d - zlib 1.2.3 -> 1.2.11 * Update strtable_cn.stb * Avoid using hardcoded paths in log file enumeration * Fix buffer overflow during NETBIOS name resolution * Update SEVPN.sln * Create strtable_pt_br.stb * ci: display error if vpntest failed * Fix several compile warnings on MS VC++ 2008. * Enables crash minidump for Win32 vpntest. Minidump files will be saved to the 'C:\Users\<username>\AppData\Local\Temp\vpn_debug' (for normal user) or 'src\bin\vpn_debug\' (for administrator user). * OpenVPN: use new protocol interface * Add interface for easy protocol implementation * add "no-deprecated" to openssl builds "no-deprecated" is widely used in openwrt devices * Fix LibreSSL support * Switch to OpenSSL THREADID API * travis-ci: update openssl, libressl * enable sonar-scan in travis-ci builds * Virtual: fix race condition in DHCP server which resulted in multiple clients receiving the same IP * Mayaqua: Fix compilation without deprecated OpenSSL APIs * Mayaqua: Replace GNU specific sys/poll.h header with POSIX poll.h * systemd: replace deprecated CAP_SYS_ADMIN with CAP_SYSLOG
Andy2244
added a commit
to Andy2244/packages
that referenced
this issue
Nov 26, 2019
* 5.01.9672 release * Cedar: handle UDP acceleration and R-UDP versions * Mayaqua: implement R-UDP version 2, powered by ChaCha20-Poly1305 * Cedar: implement UDP acceleration version 2, powered by ChaCha20-Poly1305 * Cedar: serve new web management interface * Cedar: implement detailed protocol info * Mayaqua: add Windows Server 2019 to the supported operating systems list * Cedar: various fixes * Cedar: add "DisableIPsecAggressiveMode" option * Make install dir for unit files configurable * Protocol.c: adapt ClientConnectGetSocket() for new proxy functions * Wpc.c: adapt WpcSockConnectEx() for new proxy functions * Protocol: add ProxyCodeToCedar() * Move generic proxy stuff from Cedar to Mayaqua * Proto_OpenVPN.c: improve OvsProcessData(), fix out-of-bounds access found by Coverity * Proto_OpenVPN.c: fix segmentation fault in OvsProceccRecvPacket() * Addressing the UDP reflection amplification attack: SoftEtherVPN/SoftEtherVPN#1001 * Mayaqua.h: include <stdarg.h> for "va_list" on Illumos * Protocol.c: fix bug in ClientConnectGetSocket() causing custom HTTP header not to work * Mayaqua: move HTTP functions from "Network" to "HTTP" * Move GetMimeTypeFromFileName() and related structure to Mayaqua * Mayaqua.h: include <stdio.h> for "FILE" * Mayaqua.h: include <stddef.h>, for "wchar_t" * Bump mixin-deep in /src/bin/hamcore/wwwroot/admin/default * - Fixed the problem occurs when RPC messages between Cluster Members exceed 64Kbytes. - Fixed the RADIUS PEAP client to use the standard TLS versioning. - Implementation of a function to fix the MAC address of L3 VPN protocol by entering e.g. "MAC: 112233445566" in the "Notes" field of the user information. - Implementation of a function to fix the virtual MAC address to be assigned to the L3 VPN client as a string attribute from RADIUS server when authentication. * Updating built-in Win32 libraries - OpenSSL 1.1.1 -> 1.1.1d - zlib 1.2.3 -> 1.2.11 * Update strtable_cn.stb * Avoid using hardcoded paths in log file enumeration * Fix buffer overflow during NETBIOS name resolution * Update SEVPN.sln * Create strtable_pt_br.stb * ci: display error if vpntest failed * Fix several compile warnings on MS VC++ 2008. * Enables crash minidump for Win32 vpntest. Minidump files will be saved to the 'C:\Users\<username>\AppData\Local\Temp\vpn_debug' (for normal user) or 'src\bin\vpn_debug\' (for administrator user). * OpenVPN: use new protocol interface * Add interface for easy protocol implementation * add "no-deprecated" to openssl builds "no-deprecated" is widely used in openwrt devices * Fix LibreSSL support * Switch to OpenSSL THREADID API * travis-ci: update openssl, libressl * enable sonar-scan in travis-ci builds * Virtual: fix race condition in DHCP server which resulted in multiple clients receiving the same IP * Mayaqua: Fix compilation without deprecated OpenSSL APIs * Mayaqua: Replace GNU specific sys/poll.h header with POSIX poll.h * systemd: replace deprecated CAP_SYS_ADMIN with CAP_SYSLOG Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Andy2244
added a commit
to Andy2244/packages
that referenced
this issue
Nov 26, 2019
* 5.01.9672 release * Cedar: handle UDP acceleration and R-UDP versions * Mayaqua: implement R-UDP version 2, powered by ChaCha20-Poly1305 * Cedar: implement UDP acceleration version 2, powered by ChaCha20-Poly1305 * Cedar: serve new web management interface * Cedar: implement detailed protocol info * Mayaqua: add Windows Server 2019 to the supported operating systems list * Cedar: various fixes * Cedar: add "DisableIPsecAggressiveMode" option * Make install dir for unit files configurable * Protocol.c: adapt ClientConnectGetSocket() for new proxy functions * Wpc.c: adapt WpcSockConnectEx() for new proxy functions * Protocol: add ProxyCodeToCedar() * Move generic proxy stuff from Cedar to Mayaqua * Proto_OpenVPN.c: improve OvsProcessData(), fix out-of-bounds access found by Coverity * Proto_OpenVPN.c: fix segmentation fault in OvsProceccRecvPacket() * Addressing the UDP reflection amplification attack: SoftEtherVPN/SoftEtherVPN#1001 * Mayaqua.h: include <stdarg.h> for "va_list" on Illumos * Protocol.c: fix bug in ClientConnectGetSocket() causing custom HTTP header not to work * Mayaqua: move HTTP functions from "Network" to "HTTP" * Move GetMimeTypeFromFileName() and related structure to Mayaqua * Mayaqua.h: include <stdio.h> for "FILE" * Mayaqua.h: include <stddef.h>, for "wchar_t" * Bump mixin-deep in /src/bin/hamcore/wwwroot/admin/default * - Fixed the problem occurs when RPC messages between Cluster Members exceed 64Kbytes. - Fixed the RADIUS PEAP client to use the standard TLS versioning. - Implementation of a function to fix the MAC address of L3 VPN protocol by entering e.g. "MAC: 112233445566" in the "Notes" field of the user information. - Implementation of a function to fix the virtual MAC address to be assigned to the L3 VPN client as a string attribute from RADIUS server when authentication. * Updating built-in Win32 libraries - OpenSSL 1.1.1 -> 1.1.1d - zlib 1.2.3 -> 1.2.11 * Update strtable_cn.stb * Avoid using hardcoded paths in log file enumeration * Fix buffer overflow during NETBIOS name resolution * Update SEVPN.sln * Create strtable_pt_br.stb * ci: display error if vpntest failed * Fix several compile warnings on MS VC++ 2008. * Enables crash minidump for Win32 vpntest. Minidump files will be saved to the 'C:\Users\<username>\AppData\Local\Temp\vpn_debug' (for normal user) or 'src\bin\vpn_debug\' (for administrator user). * OpenVPN: use new protocol interface * Add interface for easy protocol implementation * add "no-deprecated" to openssl builds "no-deprecated" is widely used in openwrt devices * Fix LibreSSL support * Switch to OpenSSL THREADID API * travis-ci: update openssl, libressl * enable sonar-scan in travis-ci builds * Virtual: fix race condition in DHCP server which resulted in multiple clients receiving the same IP * Mayaqua: Fix compilation without deprecated OpenSSL APIs * Mayaqua: Replace GNU specific sys/poll.h header with POSIX poll.h * systemd: replace deprecated CAP_SYS_ADMIN with CAP_SYSLOG Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
This was referenced Nov 26, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SoftEther is vulnerable to a UDP reflection amplification attack and can be abused to take on the role of the reflector.
We discovered the issue in production and were able to stop the attack at the firewall level by blocking all UDP traffic to SoftEther's listening ports, since we only support TCP at the moment.
Description
The attacker spoofs the IP address of the victim and uses it to send a UDP packet containing
P_CONTROL_HARD_RESET_CLIENT_V2to the server. SoftEther will respond to the victim withP_CONTROL_HARD_RESET_SERVER_V2. Since the victim will not reply with aP_ACK_V1, SoftEther assumes the packet got lost in transmission and will retransmitP_CONTROL_HARD_RESET_SERVER_V2everyOPENVPN_CONTROL_PACKET_RESEND_INTERVALmilliseconds (default 0.5 seconds) until the socket times out (default 30 seconds), resulting in an amplification factor of 60.The attack is described in detail here: http://13.58.107.157/archives/8190.
Reproduction
I included a Python script that demonstrates the amplification attack (see
udp_1194_amplification.py) and an example capture that shows the result (seeudp_1194_amplification.pcapng).udp_1194_amplification.zip
Mitigations
The attack could be mitigated by implementing an exponential backoff strategy similar to how OpenVPN does it (as shown on the page that describes the attack in detail), which would result in an amplification factor of 5 rather than 60.
Ideally, SoftEther would rate limit IPs, thus preventing the creation of a new session if that IP's limit has been reached.
The text was updated successfully, but these errors were encountered: