GrapheneOS on Nostr: Tracking all connections with conntrack is enough to open up a new denial of service ...
Tracking all connections with conntrack is enough to open up a new denial of service attack vector since the conntrack table can be filled by an attacker. For this reason, we were previously making all inbound connections untracked and are still doing that for both UDP and ICMP.
Published at
2024-04-16 15:02:52Event JSON
{
"id": "0d5ae3e873e4c5485d4b9697afb3b57d2187859cf374245f1ff1fc9a1b27a6c0",
"pubkey": "5468bceeb74ce35cb4173dcc9974bddac9e894a74bf3d44f9ca8b7554605c9ed",
"created_at": 1713279772,
"kind": 1,
"tags": [
[
"e",
"7f3e5952bdddc7370074ccbbc1f24fef6f103266ee9d50bb1b5e6a99c164e0ff",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://grapheneos.social/users/GrapheneOS/statuses/112281503170366089",
"activitypub"
]
],
"content": "Tracking all connections with conntrack is enough to open up a new denial of service attack vector since the conntrack table can be filled by an attacker. For this reason, we were previously making all inbound connections untracked and are still doing that for both UDP and ICMP.",
"sig": "84ca37bfd643c46790f3b2fcc580feb39d25962ffd262eab0ea74f7357116edf607bab5439126598571c4212528c51138d23a4f27b4f839d30500a577c62ae1f"
}
