owned this note
owned this note
Published
Linked with GitHub
Nethermind client accept too many packets with rlpx protocol
Attack scenario *
More detailed description of the attack/bug scenario and unexpected/buggy behaviour
When making the initial handshake with a node the first step is :
1. initiator connects to recipient and sends its auth message
the initiator can send many auth message before getting disconnected by the recipient (nethermind client) .
i was able to send up to 180k message before nethermind closing the connection.
In comparaison to others execution clients :
-Reth accepts 20-30 messages before closing the connection.
-Geth between 50 and 100
-Besu 2OO-500
-Erigon 80-120
Impact *
Describe the effect this may have in a production setting
Setting limits on the number of packets sent reduces the risk of DoS.
Accepting so many could pose a problem and make Nethermind more vulnerable.
I tried monitoring with docker a Nethermind client and Geth client to see how they react to this, here is the results :
By sending the packets (up to 180k with nethermind) i'm able to add 60-70MB to the network in one connection before nethermind close the connection. In comparaison with Geth (50-100 packets before closing the connection) this add only 0.1 MB to the network data.
I have also observed that the CPU %, which runs between 10 and 20 % in normal time, rises to 105% when I send packets to nethermind. In comparaison with Geth the CPU% does not seem to change when i'm sending the packets.
For the memory usage i don't see anything wrong .
Components *
Point to the files, functions, and/or specific line numbers where the bug occurs
the bug occurs in the first step of the rlpx initial handshake . (https://github.com/ethereum/devp2p/blob/master/rlpx.md#initial-handshake)
Reproduction *
If used any sort of tools/simulations to find the bug, describe in detail how to reproduce the buggy behaviour.
I use a modified version of Geth devp2p binaries available here :
https://github.com/mohasdev/spam-packet-poc
The repo is private, tell me if you need access i already added Fredrik .
Just clone the repo, and launch the command :
make all
Then launch this command :
./build/bin/devp2p rlpx <enode adress>
You can try the command multiple time since the number of packets accepted by nethermind vary .
You can run the nodes in a private network using kurtosis or run them locally in your computer .
For me i use kurtosis with 1 geth client and 1 nethermind client.
If you use kurtosis you can monitor the clients with this command :
docker stats
This is the one that i used, but you can use the tool you prefer to see the behaviours .
Fix
Description of suggested fix, if available
Setting limits on the number of packets accepted by Nethermind before closing the connection.