PySyncObj
PySyncObj copied to clipboard
bakwc
Unauthenticated DoS by big messages
I found two ways to DoS a PySyncObj server by naive fuzzing aka cat /dev/urandom >/dev/tcp/localhost/5010
First: If attackers has sufficient bandwidth, they can just send infinite stream of data. This causes __tryReadBuffer() to loop forever, saving everything in memory until it runs out. Second: If attackers does not have sufficient bandwidth, they can still send message with length 0x7FFFFFFF and 2GiB of garbage. This again allows filling 2GiB of available memory per one attacker connection.
I fix it on my servers like this: https://github.com/Sandwichs-del/PySyncObj/tree/Sandwichs-del-patch-3-fix-unauthenticated-DoS, feel free to pull if you think changing __tryReadBuffer like that is acceptable.
But even with these holes plugged I am starting to feel it will never be as good as TLS (https://github.com/bakwc/PySyncObj/issues/46).
Protection on my servers was still too easy to bypass. An attacker who captured just one message signed by the right key could use it to defeat the protection. I updated protection of my server like this: https://github.com/Sandwichs-del/PySyncObj/tree/Sandwichs-del-patch-4-improve-DoS-protection, again feel free to inspire or pull if you think it is okay to limit size of SelfAddress message and of utility command messages like that.
After this, only attacker in position to hijack running TCP connection should be able to DoS.