以太坊UDP流量放大反射DDOS漏洞
漏洞影響
該漏洞表面上是一個放大5倍udp反射DDOS漏洞,但其對ETH的P2P網路的影響是非常大的,但是這個漏洞有很大的兩個副作用,一個是ETH的發現節點池會不斷的被堆滿,導致正常節點無法加入,二是可遮蔽被攻擊節點無法探索到任意子網的節點。
漏洞分析
先讓我們來看看ETH P2P發現協議的文件,在 https://github.com/ethereum/devp2p/blob/master/discv4.md
這篇ETH P2P發現協議文件裡是有對udp反射DDOS做防禦的。
Pong Packet (0x02)
packet-data = [to, ping-hash, expiration]
Pong is the reply to ping.ping-hash should be equal to hash of the corresponding ping packet.Implementations should ignore unsolicited pong packets that do not contain the hash of the most recent ping packet.
其方法就是通過簽名PIng包並且讓對方主機回覆的Pong包要帶上之前Ping包的hash才可以通過校驗。這個從設計上來說是沒什麼問題的,然而go-ethereum在實現該協議的時候出了問題。
讓我們來看看go-ethereum是怎麼實現該協議的,在 https://github.com/ethereum/go-ethereum/blob/master/p2p/discover/udp.go#L618
func (req *ping) handle(t *udp, from *net.UDPAddr, fromKey encPubkey, mac []byte) error { if expired(req.Expiration) { return errExpired } key, err := decodePubkey(fromKey) if err != nil { return fmt.Errorf("invalid public key: %v", err) } //收到ping包後馬上回復pong包 t.send(from, pongPacket, &pong{ To:makeEndpoint(from, req.From.TCP), ReplyTok:mac, Expiration: uint64(time.Now().Add(expiration).Unix()), }) n := wrapNode(enode.NewV4(key, from.IP, int(req.From.TCP), from.Port)) t.handleReply(n.ID(), pingPacket, req) //如果沒通過pong校驗則傳送一個ping包進行pong校驗,如果通過pong校驗則加入發現節點池 if time.Since(t.db.LastPongReceived(n.ID())) > bondExpiration { t.sendPing(n.ID(), from, func() { t.tab.addThroughPing(n) }) } else { t.tab.addThroughPing(n) } t.localNode.UDPEndpointStatement(from, &net.UDPAddr{IP: req.To.IP, Port: int(req.To.UDP)}) t.db.UpdateLastPingReceived(n.ID(), time.Now()) return nil }
由於我們是第一次連線,所以要進行pong校驗,我們來看看go-ethereum是怎麼實現協議中的pong校驗的,在 https://github.com/ethereum/go-ethereum/blob/master/p2p/discover/udp.go#L645
func (req *pong) handle(t *udp, from *net.UDPAddr, fromKey encPubkey, mac []byte) error { if expired(req.Expiration) { return errExpired } fromID := fromKey.id() //開始處理pong,如果沒有請求過pong,就返回錯誤 if !t.handleReply(fromID, pongPacket, req) { return errUnsolicitedReply } t.localNode.UDPEndpointStatement(from, &net.UDPAddr{IP: req.To.IP, Port: int(req.To.UDP)}) //重新整理pong時間,通過pong校驗 t.db.UpdateLastPongReceived(fromID, time.Now()) return nil }
可見只要通過t.handleReply的校驗我們就可以重新整理pong時間通過校驗了,讓我們來看看t.handleReply 是怎麼處理的 https://github.com/ethereum/go-ethereum/blob/master/p2p/discover/udp.go#L369
func (t *udp) handleReply(from enode.ID, ptype byte, req packet) bool { matched := make(chan bool, 1) select { //放入gotreply等待返回matched case t.gotreply <- reply{from, ptype, req, matched}: // loop will handle it return <-matched case <-t.closing: return false } }
我們繼續往下追
case r := <-t.gotreply: var matched bool for el := plist.Front(); el != nil; el = el.Next() { p := el.Value.(*pending) if p.from == r.from && p.ptype == r.ptype { //是否有拉取過請求,有則matched為true matched = true // Remove the matcher if its callback indicates // that all replies have been received. This is // required for packet types that expect multiple // reply packets. //對應的callback校驗,然而就算p.callback返回為false,matched也為true if p.callback(r.data) { p.errc <- nil plist.Remove(el) } // Reset the continuous timeout counter (time drift detection) contTimeouts = 0 } } r.matched <- matched
這裡基本能看出問題了,p.callback返回了false,只要不丟擲錯誤,matched還是true,校驗就算通過了,我們再來看看pong校驗的callback是怎麼處理的 https://github.com/ethereum/go-ethereum/blob/master/p2p/discover/udp.go#L294
func (t *udp) sendPing(toid enode.ID, toaddr *net.UDPAddr, callback func()) <-chan error { req := &ping{ Version:4, From:t.ourEndpoint(), To:makeEndpoint(toaddr, 0), // TODO: maybe use known TCP port from DB Expiration: uint64(time.Now().Add(expiration).Unix()), } packet, hash, err := encodePacket(t.priv, pingPacket, req) if err != nil { errc := make(chan error, 1) errc <- err return errc } //這裡就是pong校驗的callback,可見就算沒通過校驗也只是返回了false errc := t.pending(toid, pongPacket, func(p interface{}) bool { ok := bytes.Equal(p.(*pong).ReplyTok, hash) if ok && callback != nil { callback() } return ok }) t.localNode.UDPContact(toaddr) t.write(toaddr, req.name(), packet) return errc }
所有,實際上go-ethereum並沒有很好的實現pong校驗,導致協議設計的防禦機制徹底失效。
漏洞利用
- 偽造udp源地址
- 構造ping包傳送到geth的p2p發現協議UDP埠,拉取pong請求
- 構造pong包傳送到geth的p2p發現協議UDP埠,hash留空即可
- 然後再發送findnode包即可發射5倍以上udp流量
由於官方還未修補該漏洞,所以暫時不公佈POC
漏洞演示
下面用go-ETH最新版1.8.21來演示
成功將UDP流量放大5倍反射到1.1.6.7
單個虛擬機器測試,CPU佔用率輕鬆達到50%
遮蔽受害節點無法發現指定網段節點: