Parity and Aleth Ethereum nodes vulnerable to traffic amplification attacks

Ethereum nodes form a P2P network among each other. For a node to discover other Ethereum nodes a custom UDP based discovery protocol is used called discv4. The specification of that protocol is stable since the launch of Ethereum and available at https://github.com/ethereum/devp2p/blob/master/discv4.md

In general the discv4 protocol uses 4 packet types:

  • Ping
  • Pong
  • Findnode
  • Neighbors

In order to discover new nodes a node sends a findnode packet to another node which will in turn reply with a neighbors packet that contains a list of known nodes.

In the protocol specifications it is described, that before answering any findnode request a node must first verify that the requesting node also participates in the discovery protocol. This is required because the protocol uses UDP as network transport which is vulnerable to IP address spoofing.This verification is done by a mutual ping<->pong exchange between participating nodes.

If this verification is not done an attacker can utilize vulnerable Ethereum nodes in a traffic amplification attack. For that the attacker sends findnode requests to vulnerable Ethereum nodes which have the victims IP address as spoofed source address. Vulnerable nodes will then send a neighbors packet back to the victim. The main problem is, that while the findnode packet is only 171 bytes size, the returned neighbors packet can be up to 1280 bytes which allows the attacker to amplify its attacking traffic by a factor 7.

While updating the scraper for our Ethereum Node Explorer — ethernodes.org — we discovered that both Parity & Aleth are vulnerable to this type of attack. Especially with the currently large adoption of Parity nodes this can be come a significant problem.

The issue was disclosed to both development teams via their published responsible disclosure procedure. Below is the timeline of their respective responses:

Parity:

  • 10.01.2018 11:12 AM — Issue reported to the dev team
  • 10.01.2018 07:49 PM — Issue acknowledged by the dev team
  • 16.01.2018 01:06 AM — Fix released (Parity version 2.3.0 beta & 2.2.7 stable)

Aleth

  • 10.01.2018 — Issue reported to the dev team
  • 16.01.2018 — Issue acknowledged by the dev team
  • Currently awaiting a fixed version

Parity rewarded the Bug according to their bug bounty program. The received rewards will be donated to the Africa Amini Alama charity which organizes health, education, social support & sponsorship projects in Africa.