A risk exists where a malicious DNS seeder eclipses a node by returning an enormous number of IP addresses. In this commit we mitigate this risk by limiting the number of IP addresses addrman learns to 256 per DNS seeder.
As discussed with @theuni
Limit the number of IPs addrman learns from each DNS seeder #12626
pull EthanHeilman wants to merge 1 commits into bitcoin:master from EthanHeilman:master changing 1 files +2 −1-
EthanHeilman commented at 11:30 PM on March 6, 2018: contributor
-
46e7f800bd
Limit the number of IPs we use from each DNS seeder
A risk exists where a malicious DNS seeder eclipses a node by returning an enormous number of IP addresses. In this commit we mitigate this risk by limiting the number of IP addresses addrman learns to 256 per DNS seeder.
- fanquake added the label P2P on Mar 6, 2018
- randolf approved
-
randolf commented at 4:14 AM on March 7, 2018: contributor
This is a very good first step in mitigating this type of DoS attack, and 256 seems me to be an extremely generous default.
-
sipa commented at 4:26 AM on March 7, 2018: member
Since DNS responses generally are sent over UDP, all of them need to fit in a single IP packet (I believe), which puts a natural limit regardless. Having some explicit limit sounds good though.
-
randolf commented at 5:47 AM on March 7, 2018: contributor
@sipa Packets larger than 512 bytes are supported with the introduction of EDNS (see RFC 6891 dated April 2013; earlier RFCs that reference EDNS0 that may also be of interest) that uses an unsigned 16-bit integer to specify RDLEN (Record Data Length). Also, while UDP is a MUST for DNS services, TCP is a SHOULD, and both of these transport layer protocols can, for the most part, support EDNS's larger packet size options.
In summary, the natural limit that is more well-known has effectively been extended (IP packet fragmentation and reassembly make it possible to venture beyond the MSU, which is commonly set to 1,500 bytes).
-
practicalswift commented at 6:21 AM on March 7, 2018: contributor
utACK 46e7f800bd78aa4d4de5915b4a7e5a3234c507d6
-
-
sdaftuar commented at 2:33 PM on March 7, 2018: member
utACK 46e7f800bd78aa4d4de5915b4a7e5a3234c507d6
- theuni approved
-
theuni commented at 2:39 PM on March 7, 2018: member
utACK 46e7f800bd78aa4d4de5915b4a7e5a3234c507d6
-
EthanHeilman commented at 2:48 PM on March 7, 2018: contributor
Three years ago I tested the number of DNS entries I could get into Bitcoin for the eclipse attack paper. My test setup was Ubuntu Linux running Bitcoind querying a custom DNS server on localhost. We didn't end up using this attack so I wrote up a blog entry about the general question without mentioning bitcoin: How many IP addresses can a DNS query return?
- theuni added the label Needs backport on Mar 7, 2018
-
fanquake commented at 3:04 PM on March 7, 2018: member
utACK 46e7f80
- laanwj added this to the milestone 0.16.1 on Mar 7, 2018
- laanwj merged this on Mar 7, 2018
- laanwj closed this on Mar 7, 2018
- laanwj referenced this in commit efa18a230d on Mar 7, 2018
- fanquake referenced this in commit 163b505488 on Apr 12, 2018
- MarcoFalke referenced this in commit 6b4e24ff67 on Apr 20, 2018
- fanquake referenced this in commit f60e84dba4 on Apr 26, 2018
- laanwj referenced this in commit feba12fe85 on May 16, 2018
- fanquake removed the label Needs backport on May 16, 2018
-
- HashUnlimited referenced this in commit 66d59481b8 on Jun 29, 2018
- PastaPastaPasta referenced this in commit 915797f2da on Jan 26, 2020
- PastaPastaPasta referenced this in commit 72f7287de0 on Jan 26, 2020
- PastaPastaPasta referenced this in commit 8cc70adf80 on Jan 27, 2020
- PastaPastaPasta referenced this in commit a3ea0e93ef on Jan 27, 2020
- ckti referenced this in commit 2ed2e57ab1 on Mar 28, 2021
- DrahtBot locked this on Sep 8, 2021
