Opened 2 years ago
Last modified 2 months ago
#1340 new Bug / Defect
UDP reflection amplification attack
| Reported by: | mtaggart | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.7 |
| Component: | Generic / unclassified | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | Steffan Karger, tct, plaisthos |
Description
I run a server that was subject to a DDoS attack today that appears to be a UDP reflection amplification attack coming from openvpn. I have searched the bug tracker, forums, CVEs, source, etc and could not find any mention of such a vulnerability, so I am asking here. Apologies if this is already solved or not an issue, but I was unable to determine so maybe at least it would help to document things.
What I am seeing is floods of P_CONTROL_HARD_RESET_SERVER_V2 packets coming from port 1194 on hundreds of source IPs. I searched around and found some things that might be related:
- Maybe the original vulnerability description https://www.freebuf.com/vuls/215171.html
- Maybe related articles:
- Bug in SoftEtherVPN (maybe based on openvpn? source looks different) with a good description and a python script POC https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1001
I plan to contact the network admins of the IPs used in the attack and I would like to include information on what course of action they should take.
Thanks
Change History (7)
comment:2 Changed 2 years ago by
There are two patches floating around that rate-limit responses to P_CONTROL_HARD_RESET_SERVER_V2 on servers that do not use either, but these have not been merged to the official repos yet, so it's not "patch the server and all is good" easy.
OTOH, tls-auth has other security benefits for the openvpn deployment, so it's a good idea for multiple reasons.
comment:3 Changed 2 years ago by
| Cc: | Steffan Karger added |
|---|
comment:4 Changed 2 years ago by
| Cc: | tct added |
|---|
comment:5 Changed 2 years ago by
The reflection part is somewhat inherent to UDP, though indeed tls-auth, tls-crypt and tls-crypt-v2 can restrict such attack to attackers actually holding valid key. This helps, but is of limited use for e.g. VPN providers.
We might be able to do something about the amplification though. The OpenVPN three-way handshake consists of a HARD_RESET_CLIENT_V2 (or V3), HARD_RESET_SERVER_V2 and ACK_V1 packet. If a malicious client only sends a HARD_RESET_CLIENT_V2, and doesn't reply to the HARD_RESET_SERVER_V2, the server will retry sending its reply four times. If the server would not retry this specific packet, we would get rid of most of the amplification.
A small amplification remains: a HARD_RESET_CLIENT_V2 packet has 14 bytes UDP payload (58 bytes packet), the HARD_RESET_SERVER_V2 reply has 26 bytes UDP payload (70 bytes packet).
comment:6 Changed 4 months ago by
| Cc: | plaisthos added |
|---|---|
| Milestone: | → release 2.6 |
Intermediate update: as of 2.6.0, an OpenVPN Server will only send a single reply packet to an incoming HARD_RESET_CLIENT* packet, ever (and not keep state, so it couldn't resend the HARD_RESET_SERVER* even if it wanted to). So while reflection attacks are still possible, the amplification factor has been taken care of.
What we still want to add is per-source rate limiting to make sure that OpenVPN is made sufficiently uninteresting as a reflection point. @plaisthos is working on this.
That all said, server operators still should use tls-auth or tls-crypt* :-)
comment:7 Changed 2 months ago by
| Milestone: | release 2.6 → release 2.7 |
|---|
Update again. The "initial packet rate-limit" patch has landed, so with 2.6.0 and up, the default is "100 initial packets per 10 seconds will be replied to" (and connections that succeed their 3way-handshake are not counted in that number).
In our tests this does not impair "large servers starting up with lots of new clients connecting" very strongly (because successfull connections do not count), and it makes OpenVPN fairly uninteresting for reflection attacks.
commit b520c68c67b6e52cd71b16675f1c436abf18d4dc (master)
commit 93d8d92319816a36f53ef8772bd6705f6abc2df9 (release/2.6)
Author: Arne Schwabe
Date: Tue Jan 10 02:59:01 2023 +0100
Add connect-freq-initial option to limit initial connection responses
... this is still not exactly what we wanted (do this on a per-ip/per-subnet basis), but that turned out to be more complex and 2.6.0 release is very close.
So, bumping the milestone to 2.7 for the "really nice" rate-limiter.
The server operators need to use
tls-authortls-crypt.Both will make the server stop responding to unauthenticated packets.