Ws server protected by cloudflare vulnerable to simple attack

[creikey]

This code:

import asyncdispatch, asynchttpserver, ws

proc main() {.async.} =
  var ws = await newWebSocket("wss://cloudflare-protected-server.com")

  await ws.send(newString(1024*1024*1024*2))
  echo "sent"
  echo await ws.receiveStrPacket()

  ws.close()

waitFor main()

Will cause the server to allocate gigabytes of memory and stall filling the buffer with the empty data created in newString, cloudflare does not prevent this

[treeform]

Hmm we could define a max packet length field. But I don't think that would work well in all cases.

But maybe some thing like an inspect hook is better.

proc onPacketHook(address, length) =
 # if user/address is authenticated any length can work
 # if users is not authenticated only small packets used for authentication can work
 # if the address is rate limited reject all lengths and packets

Maybe on onConnectHook(address) and onPacketHook(address, length)

Thoughts?

[creikey]

Hmm we could define a max packet length field. But I don't think that would work well in all cases.

But maybe some thing like an inspect hook is better.

proc onPacketHook(address, length) =
 # if user/address is authenticated any length can work
 # if users is not authenticated only small packets used for authentication can work
 # if the address is rate limited reject all lengths and packets

Maybe on onConnectHook(address) and onPacketHook(address, length)

Thoughts?

This seems like a pretty neat and simple solution, keeps the library flexible. It's odd to me that cloudflare etc doesn't have the ability for the application to report bad users and configure a timeout or something. The main issue with this attack is that the tcp packet recv just allocates whatever the header size the websocket packet reports, if a hook like this can stop that then I think it works