Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mDNS request (port 5353) flood in Windows #93

Closed
linfan opened this issue Jan 6, 2022 · 7 comments
Closed

mDNS request (port 5353) flood in Windows #93

linfan opened this issue Jan 6, 2022 · 7 comments
Labels
Stale

Comments

@linfan
Copy link
Contributor

linfan commented Jan 6, 2022

Environment

  • OS: Windows Server 2019 64Bit
  • Version: v2.3.2
  • Network: N/A
  • Proxy Server: N/A

Log

> tun2socks.exe --proxy socks5://x.x.x.x:1080 --device tun://tun0 --loglevel debug
2022/01/06 14:13:10 Using existing driver 0.14
2022/01/06 14:13:10 Creating adapter
time="2022-01-06T14:13:10+08:00" level=info msg="[STACK] tun://tun0 <-> socks5://127.0.0.1:2223"
time="2022-01-06T14:13:11+08:00" level=info msg="[UDP] [fe80::e40c:b0f2:f142:170]:5353 --> [ff02::fb]:5353"
time="2022-01-06T14:13:11+08:00" level=info msg="[UDP] [fe80::e40c:b0f2:f142:170]:51565 --> [ff02::1:3]:5355"
time="2022-01-06T14:13:11+08:00" level=info msg="[UDP] [fe80::e40c:b0f2:f142:170]:5353 --> [ff02::fb]:5353"
time="2022-01-06T14:13:11+08:00" level=info msg="[UDP] [fe80::e40c:b0f2:f142:170]:5353 --> [ff02::fb]:5353"
time="2022-01-06T14:13:11+08:00" level=info msg="[UDP] [fe80::e40c:b0f2:f142:170]:5353 --> [ff02::fb]:5353"
time="2022-01-06T14:13:11+08:00" level=info msg="[UDP] [fe80::e40c:b0f2:f142:170]:5353 --> [ff02::fb]:5353"
... Continually go on, about 5000~6000 UDP requests to 5353 port per second !!! ...
time="2022-01-06T14:13:14+08:00" level=warning msg="queue is currently full, packet will be dropped"
time="2022-01-06T14:13:14+08:00" level=warning msg="queue is currently full, packet will be dropped"
time="2022-01-06T14:13:14+08:00" level=warning msg="queue is currently full, packet will be dropped"
... ...
time="2022-01-06T14:13:17+08:00" level=warning msg="[UDP] dial [ff02::fb]:5353 error: listen packet: listen udp :0: bind: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full."
time="2022-01-06T14:13:17+08:00" level=warning msg="[UDP] dial [ff02::fb]:5353 error: client handshake: 0x04: host unreachable"

Above are log without any IP or route set to tun device.
If an IP v4 address is assigned to this tun device, there will be even more packages, sending to both [ff02::fb]:5353 and 224.0.0.251:5353.

Describe the bug

By searching "5353" in the issue list, I'm sure those requests are innocent but should in a much lower frequency (about ~10 per second), wondering what happens...

Any suggestion or clues ?

To Reproduce

Just run tun2socks executable.
@linfan
Copy link
Contributor Author

linfan commented Jan 6, 2022

This is a full log
tun2socks.log

@xjasonlyu
Copy link
Owner

Have you tried to add those ip as exceptional routes?

Honestly, I haven't well tested this project in Windows, so I may not have better solutions yet.

@linfan
Copy link
Contributor Author

linfan commented Jan 7, 2022

Many of the packages are request sent by tun2sock itself, route rule may not work.

After some digging, I found there are also lot of request or response to some certain ports besides 5353. Currently I add below lines at the beginning of handleUDP(packet core.UDPPacket) method as a workaround, drop all flooding packages.

	if strings.HasSuffix(packet.RemoteAddr().String(), ":137") ||
		strings.HasSuffix(packet.RemoteAddr().String(), ":5353") ||
		strings.HasSuffix(packet.LocalAddr().String(), ":1900") ||
		strings.HasSuffix(packet.LocalAddr().String(), ":5355") {
		return
	}

So far so good, as I don't use any of above ports. However the truth is not yet clear.

@xjasonlyu
Copy link
Owner

I suddenly realized that Windows doesn't even have things like iptables to do packet dropping for you...

@linfan
Copy link
Contributor Author

linfan commented Jan 13, 2022

Windows has netsh firewall command which can handle the package dropping things, though I don't familiar with that either.

Today I find these UDP flooding also happened under MacOS. After setup tun2socks, I add 172.20.0.0/16 route to the tun, and 172.20.0.10 is an internal DNS server within that IP range. When I do nslookup <some-domain> 172.20.0.10, in the tun2socks log I will see in total of 57 UDP requests are send to the 53 port of target address:

INFO[0930] [UDP] 172.20.0.0:64947 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:51459 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:59504 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:62967 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:62975 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:60109 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:59172 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:63948 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:52707 --> 172.20.0.10:53
INFO[0930] [UDP] 172.20.0.0:57995 --> 172.20.0.10:53
... ... in total 57 times ... ...

However there is no response (and no log found in DNS server, I believe the package was lost somehow).

It seems the flooding only happen with UDP, All TCP connection working well so far.

@xjasonlyu
Copy link
Owner

Hmm, you need tun2socks handle your internal DNS query? but it would be sent to your socks server though.

@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the Stale label Mar 30, 2022
@github-actions github-actions bot closed this as completed Apr 6, 2022
@xjasonlyu xjasonlyu mentioned this issue May 14, 2022
Closed
@arm64v8a arm64v8a mentioned this issue May 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@linfan @xjasonlyu