You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A request packet has its unique request ID. A ZeroNet implementation interprets a response packet with the help of the request ID. If an attacker spoofs the request ID in a malicious response packet, then the implementation cannot properly interpret the response, and may incorrectly abort the previous request. This attack works even when the attacker does not run the Internet infrastructure. Consider the following example.
When sequential request ID works:
A --> B
<getFile, req_id=0>
B --> A
<response, to_req_id=0, file_content=bytes>
A: I got a response for request 0. It has file payload in it.
When sequential request ID does not work:
A --> B
<getFile, req_id=0>
C --> A
<response, to_req_id=0, error>
B --> A
<response, to_req_id=0, file_content=bytes>
A: I got a response for request 0. I can decode this response properly. It says there is
an error on the other side.
A: I got a response for request 0. I handled request 0 a second ago, dropping this
response.
There are algorithms that handle request IDs more safely.
Store an (ip_address, port, request_id) tuple as the real identifier. Does not work with connectionless sockets, such as datagram. Denies "retry," which may be a problem for the peers that have poor connectivity. This seems too restrictive.
Generate random request IDs. Take 4 bytes of random data from os.urandom and convert them to an integer.
Which algorithm does ZeroNet use?
The text was updated successfully, but these errors were encountered:
The request-id is per-connection. I not sure how could anyone inject a fake response packet to a TCP (and encrypted) stream. And if someone could, then I think the random id does not helps as the attacker could also record the request id sent to remote client.
A request packet has its unique request ID. A ZeroNet implementation interprets a response packet with the help of the request ID. If an attacker spoofs the request ID in a malicious response packet, then the implementation cannot properly interpret the response, and may incorrectly abort the previous request. This attack works even when the attacker does not run the Internet infrastructure. Consider the following example.
When sequential request ID works:
When sequential request ID does not work:
There are algorithms that handle request IDs more safely.
Store an
(ip_address, port, request_id)
tuple as the real identifier. Does not work with connectionless sockets, such as datagram. Denies "retry," which may be a problem for the peers that have poor connectivity. This seems too restrictive.Generate random request IDs. Take 4 bytes of random data from
os.urandom
and convert them to an integer.Which algorithm does ZeroNet use?
The text was updated successfully, but these errors were encountered: