[FS#4011] TCP queries to dnsmasq can cause OOM and DoS attack
OpenWrt Bugs
openwrt-bugs at lists.openwrt.org
Mon Sep 6 08:59:24 PDT 2021
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
A new Flyspray task has been opened. Details are below.
User who did this - Brian J. Murrell (brianjmurrell)
Attached to Project - OpenWrt/LEDE Project
Summary - TCP queries to dnsmasq can cause OOM and DoS attack
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To -
Operating System - All
Severity - High
Priority - Very Low
Reported Version - openwrt-19.07
Due in Version - Undecided
Due Date - Undecided
Details - Supply the following if possible:
- Device problem occurs on tplink,tl-wdr4300-v1
- Software versions of OpenWrt/LEDE release, packages, etc. 19.07.8
- Steps to reproduce
Use a tool like netcat to open many (i.e 20+) TCP connections to port 53, simulating TCP dns queries
Observe how dnsmasq forks for each connection
Observe how at some point enough dnsmasq children are running that the kernel starts OOMing
This is a quick/easy demonstration on how simply an OpenWRT router can be DoS attacked.
There is a hard coded MAX_PROCS which defaults to 20. This clearly is too high for resource constrained systems like OpenWRT routers.
There is a discussion of this problem on the dnsmasq ML @ https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014907.html which includes a patch to make MAX_PROCS a run-time tunable. This could be used by OpenWRT to scale up/down the MAX_PROCS value based on the size of system it's running on.
It could/should be user-overridable in case he/she knows better what the value should be than any attempt by OpenWRT to scale on a given router.
More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=4011
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
More information about the openwrt-bugs
mailing list