Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add maximum packet size check #40

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add maximum packet size check #40

wants to merge 1 commit into from

Conversation

creikey
Copy link

@creikey creikey commented Jul 16, 2022

No description provided.

@treeform
Copy link
Owner

Sorry, I don't think this is a realistic attack vector. Have you encountered this in the wild?

Do you have an example of a webSocket library that supports this?

Although this might help in the case where the attacker sends you a large packet, its just one of many networked based attacks. Attacker can make a ton of connections, don't reply, reply in bursts, send a ton of small packets etc...

You need a wholistic system to handle such attacks.

I feel its better to limit the attack at the network layer, where if an IP is spamming you with junk you ban them, maybe with iptables? https://serverfault.com/questions/594012/ban-an-ip-when-the-server-received-an-amount-of-data-from-it

You probably have multiple servers, again I feel its better to handle this at the load balancing layer. I would investigate nginx, haproxy, or couldflare.

@creikey
Copy link
Author

creikey commented Jul 17, 2022

Sorry, I don't think this is a realistic attack vector. Have you encountered this in the wild?

Do you have an example of a webSocket library that supports this?

Although this might help in the case where the attacker sends you a large packet, its just one of many networked based attacks. Attacker can make a ton of connections, don't reply, reply in bursts, send a ton of small packets etc...

You need a wholistic system to handle such attacks.

I feel its better to limit the attack at the network layer, where if an IP is spamming you with junk you ban them, maybe with iptables? https://serverfault.com/questions/594012/ban-an-ip-when-the-server-received-an-amount-of-data-from-it

You probably have multiple servers, again I feel its better to handle this at the load balancing layer. I would investigate nginx, haproxy, or couldflare.

This makes sense to me, nginx unfortunately doesn't support websocket protection. I was hoping I could just do client side load balancing to just randomly select an available lobby server to simplify the stack, but that would require cloudflare protection on each server...

@creikey
Copy link
Author

creikey commented Jul 18, 2022

Sorry, I don't think this is a realistic attack vector. Have you encountered this in the wild?

Do you have an example of a webSocket library that supports this?

Although this might help in the case where the attacker sends you a large packet, its just one of many networked based attacks. Attacker can make a ton of connections, don't reply, reply in bursts, send a ton of small packets etc...

You need a wholistic system to handle such attacks.

I feel its better to limit the attack at the network layer, where if an IP is spamming you with junk you ban them, maybe with iptables? https://serverfault.com/questions/594012/ban-an-ip-when-the-server-received-an-amount-of-data-from-it

You probably have multiple servers, again I feel its better to handle this at the load balancing layer. I would investigate nginx, haproxy, or couldflare.

import asyncdispatch, asynchttpserver, ws

proc main() {.async.} =
  var ws = await newWebSocket("wss://the-server.org")
  await ws.send(newString(1024*1024*1024))
  echo await ws.receiveStrPacket()
  ws.close()

waitFor main()

Something like this can completely hang the server on ram, this is ignoring that you can provide an invalid length in the header of the websocket packet that's something like 10 gigabytes, and the server will recv that length, causing the socket to wait forever (does this matter if it's async?) as there's no timeout specified and the socket is buffered.

@creikey
Copy link
Author

creikey commented Aug 16, 2022

@treeform In a server protected by cloudflare this attack still works #42 , I think the actual websocket code needs to reject data unreasonably large for the application, as nginx does nothing to the proxied websocket packets, and for some applications sending this much data over a websocket is reasonable, so cloudflare can't just ban all large packets.

@treeform
Copy link
Owner

In fact the application I use it for needs to send very large packets over WS.

But that still can be exploited, see my thoughts on #42

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@creikey @treeform