From: W.C.A. Wijngaards Date: Wed, 18 Jan 2023 12:18:47 +0000 (+0100) Subject: - Fix not following cleared RD flags potentially enables amplification X-Git-Tag: release-1.19.0rc1~38^2~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b12ab31ae36ae2b124748d37835d74dca15b161f;p=thirdparty%2Funbound.git - Fix not following cleared RD flags potentially enables amplification DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab, Tsinghua University. The fix stops query loops, by refusing to send RD=0 queries to a forwarder, they still get answered from cache. --- diff --git a/doc/Changelog b/doc/Changelog index 5b37c57be..4fd636e36 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,9 @@ +18 January 2023: Wouter + - Fix not following cleared RD flags potentially enables amplification + DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab, + Tsinghua University. The fix stops query loops, by refusing to send + RD=0 queries to a forwarder, they still get answered from cache. + 13 January 2023: Wouter - Merge #826: Аdd a metric about the maximum number of collisions in lrushah. diff --git a/iterator/iterator.c b/iterator/iterator.c index 33095b2b5..751179496 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -1451,6 +1451,19 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, errinf(qstate, "malloc failure for forward zone"); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } + if((qstate->query_flags&BIT_RD)==0) { + /* If the server accepts RD=0 queries and forwards + * with RD=1, then if the server is listed as an NS + * entry, it starts query loops. Stop that loop by + * disallowing the query. The RD=0 was previously used + * to check the cache with allow_snoop. For stubs, + * the iterator pass would have primed the stub and + * then cached information can be used for further + * queries. */ + verbose(VERB_ALGO, "cannot forward RD=0 query, to stop query loops"); + errinf(qstate, "cannot forward RD=0 query"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } iq->refetch_glue = 0; iq->minimisation_state = DONOT_MINIMISE_STATE; /* the request has been forwarded.