[ENet-discuss] enet comments

Rene Dudfield enet-discuss@lists.puremagic.com
Fri, 7 Mar 2003 23:53:04 +0000 (GMT) 

> > For example, if a protocol sends a "connect
> packet" and then the
> > server allocates space for that client without a
> reasonable time
> > frame to dispose of that client, then you can
> easily flood a server
> > with multiple connect packets and varying
> session/client id values.  
> > In a manner of minutes a server could think it has
> several thousand
> > clients attempting to connect, causing overflow
> conditions or just
> > really bad performance.
> > 
>     Currently this can be exploited ENet, in so far
> as there is a
> maximum limit on clients. You could spam a lot of
> connect packets
> and fill up all the connection slots. However, other
> than preventing
> new connections for a few minutes, it shouldn't harm
> anything currently.
> 
>     Separating potential connections from
> established connections would
> mostly solve this problem in ENet. However, then you
> need to limit
> the number of potential connections, or else
> somebody could cause a
> flood of potential conncetions structures to be
> allocated, and still
> crash the server.
> 
>     So one way would be to limit the number of
> potential connections,
> but rather than dropping new potential connections
> when the limit is
> reached, you drop old potential connections, and
> allow the new one to
> succeed. Even in the middle of an attack, this would
> allow actual
> clients to connect. Combine with just preventing
> obscene numbers of 
> reconnects within a certain time frame from a given
> host, and you could 
> effectively prevent this attack.
> 
>     Alternatively, you could just employ this scheme
> on the connection
> structures themselves, and not bother with
> distinguishing between
> potential and established connections.
> 
>     I'll have to think about this a bit more ENet,
> though.
> 

How about the initial connection being done with
tcp/ip with a random cookie stored inside.  Then
further communication would require this cookie.



__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com