diff options
| author | Arne Schwabe | 2023-01-10 02:59:01 +0100 |
|---|---|---|
| committer | Gert Doering | 2023-01-10 08:05:13 +0100 |
| commit | 93d8d92319816a36f53ef8772bd6705f6abc2df9 (patch) | |
| tree | 8527366ae3b4f4346c33e3d3cce0ccaba7072e65 /Changes.rst | |
| parent | d9906d1523a8ed46fce81cb8d559279e345bf849 (diff) | |
| download | openvpn-93d8d92319816a36f53ef8772bd6705f6abc2df9.zip openvpn-93d8d92319816a36f53ef8772bd6705f6abc2df9.tar.gz | |
Add connect-freq-initial option to limit initial connection responses
This limits the number of packets OpenVPN will respond to. This avoids
OpenVPN servers being abused for refelection attacks in a large scale
as we gotten a lot more efficient with the cookie approach in our
initial connection handling.
The defaults of 100 attempts per 10s should work for most people,
esepcially since completed three way handshakes are not counted. So
the default will throttle connection attempts on server with high packet
loss or that are actually under a DOS.
The 100 per 10s are similar in size to the old 2.5 and earlier behaviour
where every initial connection attempt would take up a slot of the
max-clients sessions and those would only expire after the TLS timeout.
This roughly translates to 1024 connection attempts in 60s on an
empty server.
OpenVPN will announce once per period when starting to drop packets and
ultimatively how many packets it dropped:
Connection Attempt Note: --connect-freq-initial 100 10 rate limit
exceeded, dropping initial handshake packets for the next 10 seconds
Connection Attempt Dropped 217 initial handshake packets due to
--connect-freq-initial 100 10
to inform an admin about the consequences of this feature.
Patch v2: use strtol instead of atoi to be able to differentiate between
an error parsing and parsing 0. Use int64_t instead int to
avoid overflow errors.
Patch v3: Add message when we start dropping. Add a few fixes to the logic.
improve docs
Patch v4: missing missing return statement.
Patch v5: add build files for msvc build
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110015901.933522-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25938.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b520c68c67b6e52cd71b16675f1c436abf18d4dc)
Diffstat (limited to 'Changes.rst')
| -rw-r--r-- | Changes.rst | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Changes.rst b/Changes.rst index 160c8b1..b9a1ac7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -166,6 +166,10 @@ Cookie based handshake for UDP server shake. The tls-crypt-v2 option allows controlling if older clients are accepted. + By default the rate of initial packet responses is limited to 100 per 10s + interval to avoid OpenVPN servers being abused in reflection attacks + (see ``--connect-freq-initial``). + Data channel offloading with ovpn-dco 2.6.0+ implements support for data-channel offloading where the data packets are directly processed and forwarded in kernel space thanks to the ovpn-dco |