Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

protect options from replay attack #22

Merged
merged 1 commit into from
Oct 22, 2017
Merged

protect options from replay attack #22

merged 1 commit into from
Oct 22, 2017

Conversation

Masaq-
Copy link
Contributor

@Masaq- Masaq- commented Oct 22, 2016

Trying to determine why long-running sessions inexplicably become slow, I ran tcpdump and found unsolicited DNS queries beginning with the letter N were severely reducing the downstream fragment size.

When using carrier-grade DNS, the server is especially vulnerable to replay attacks that abuse the options commands (DNS queries beginning with N or O or S). I suggest refusing options commands after the negotiation of options has completed.

@Masaq-
Copy link
Contributor Author

Masaq- commented Oct 26, 2016

The attacks continue. Google DNS periodically sends the command "naaajo" to my server. Presumably I set user 0 fragsize 151 in some previous session and something cached the command and is replaying it. Fortunately now my server has been patched and I have kept the same session running smoothly for days with user 0 fragsize 1258 locked in.

@yarrick yarrick merged commit a96e2e7 into yarrick:master Oct 22, 2017
@yarrick
Copy link
Owner

yarrick commented Oct 22, 2017

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Masaq- @yarrick