linuxdcpp-team team mailing list archive

Thread
Date

[Bug 2019497] Re: Handling of CTM/search DDoS triggered by a malicious hub

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: maksis <2019497@xxxxxxxxxxxxxxxxxx>
Date: Fri, 02 Jun 2023 15:57:55 -0000
Reply-to: Bug 2019497 <2019497@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Some experiences regarding the current implementation in AirDC++:

Looks like there's at least one user that seems the exceed even the
latest block limit of 45 attempts within 30 seconds for incoming
connections. The user has fake tag so I assume that the client has been
modified so I guess that the error is appropriate in that case.

Connection hickups are a bit trickier. There's a guy with a VPN setup
that seems to cause connection cuts (possibly for several minutes). This
causes the searches to be received in bursts, triggering the spam
warnings (and even the DDoS warning). I'm not sure if there is anything
else that can be done than to allow the flood checks to be disabled (or
make them adjustable).

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/2019497

Title:
  Handling of CTM/search DDoS triggered by a malicious hub

Status in AirDC++:
  Fix Released
Status in DC++:
  Confirmed

Bug description:
  I've received a few weird crash reports that are both linked to a
  specific hub (favorite-hub.net):

  https://github.com/airdcpp-web/airdcpp-webclient/issues/450
  https://github.com/airdcpp/airdcpp-windows/issues/63

  While inspecting the issue more closely, I noticed that the client
  receives about 300 search/CTM requests per second from the hub,
  similar to these:

  $Search 82.146.38.183:80 F?F?0?1?t
  $ConnectToMe maksis 82.146.38.183:443
  $Search 82.146.38.183:443 F?F?0?1?p
  $ConnectToMe maksis 82.146.38.183:80
  $Search 82.146.38.183:80 F?F?0?1?t
  $ConnectToMe maksis 82.146.38.183:443
  $Search 82.146.38.183:443 F?F?0?1?p
  $ConnectToMe maksis 82.146.38.183:80
  $Search 82.146.38.183:80 F?F?0?1?t
  $ConnectToMe maksis 82.146.38.183:443

  Looks like this has been going on for years already and the client is
  unable to even report it in a meaningful way. DC++ shows a few status
  messages about search spam but that doesn't really reveal the full
  extent of the problem as the aim of the hub is clearly to consume all
  possible system resources from its users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/airdcpp/+bug/2019497/+subscriptions

References

[Bug 2019497] [NEW] Handling of CTM/search DDoS triggered by a malicious hub
From: maksis, 2023-05-14