Preventing CTM attacks

[Dj_Offset]

It is possible to carry out a CTM flood attack by a rogue hub or a rouge user on a buggy hub. This type of attack is hard to prevent, but we can perhaps make it evident that it is happening, and also perhaps provide information about who is performing the attack (pinpoint hub).

It is essential that the client performing the connection will send the hub reference initially, so that this can be logged by the attacker. Unfortunately this breaks the protocol somewhat, but nothing big.

In ADC:

Today, the client receives a CTM via hub, and tries to connect to the address and then send the initial handshake:
"CSUP ADBASE (...)"

Proposed change:
Add flag "RF" (Reference) to the SUP command.
Example:
"CSUP ADBASE (...) RFadc://hub.example.com:1234"

Result: the attacked party can if necessary figure out which hub(s) are causing the CTMs by looking at incoming packets.

In NMDC:

Today, client connect and send:
$MyNick <nick>|$Supports (...)|$Lock

Proposed:

$MyNick <nick>|$Supports (...)|$Ref dchub://hub.example.com:1234|$Lock
(Bonus; can even make the NMDC protocol a bit clearer).

Anyway, this is a trivial change for ADC clients, they simply need to accept another flag while parsing the CSUP message, and do not need to verify it (silent ignore).
In order to support it fully, the client also needs to set the RF-flag to point to the hub address whenever a CTM is received.

Even if not all clients does this. It will be evident to the attacked party which hub is generating the CTMs so that further actions can be taken against the hubs in question.

Comments?

[Catalin]

Where will be the address read from? If it will be from hub_host it's easy to change it and put something fake or even adding the address of another hub. Even if my english is bad I hope I made myself clear

[Toast]

if point of origin can be ip then it would be sweet but a origin dns as a ref is also a good thing to have cause then a trace might be done

[Dj_Offset]

My initial thought is to use the address you used when you connected to the hub. That should be good enough.

[Toast]

[09-01-05][20:55:03] <jvk> it is closer to the Reference header in HTTP, but thats just nitpicking.
- [09-01-05][20:55:34] <jvk> alt for NMDC, add it to Supports in the same manner as ADC, and in that manner it does not break anything...
- [09-01-05][20:56:01] <jvk> $Supports foo bar Ref=hub.example.com:1234
- [09-01-05][20:56:40] <jvk> compliant clients understand the Ref= and ignore it. Non-compliant clients do not understand it and also ignore it.
- [09-01-05][20:57:02] <jvk> status quo kept, at the cost of a few initial bytes.

i just thought i include this part since offset didn't

[Pietry]

The hub_host can't be included because the user doesn't know it. The user only knows the address it used for connecting to that hub, so that user should be used for the flag. Anyway , it's a pointer to the hub that is sending fake ctms.

[Dj_Offset]

For completeness:
https://bugs.launchpad.net/dcplusplus/+bug/316096

[Pietry]

This feature is now called REF and it has been implemented in DC++ ( hopefully mods will inherit it ). Here is the link on the wiki

[Dj_Offset]

Does anyone have any info about whether or not this has been an effective counter measure?

[Toast]

Think so since this site doesnt get frequent attacks and everything can be logged now so i guess only idiots use CTM DDoS we dont get that much blacklists on the hublist either