FS#4011 - TCP queries to dnsmasq can cause OOM and DoS attack #9003
Labels
core packages
pull request/issue for core (in-tree) packages
feature request
issue report with feature request
flyspray
brianjmurrell:
Supply the following if possible:
Use a tool like netcat to open many (i.e 20+) TCP connections to port 53, simulating TCP dns queries
Observe how dnsmasq forks for each connection
Observe how at some point enough dnsmasq children are running that the kernel starts OOMing
This is a quick/easy demonstration on how simply an OpenWRT router can be DoS attacked.
There is a hard coded MAX_PROCS which defaults to 20. This clearly is too high for resource constrained systems like OpenWRT routers.
There is a discussion of this problem on the dnsmasq ML @ https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014907.html which includes a patch to make MAX_PROCS a run-time tunable. This could be used by OpenWRT to scale up/down the MAX_PROCS value based on the size of system it's running on.
It could/should be user-overridable in case he/she knows better what the value should be than any attempt by OpenWRT to scale on a given router.
The text was updated successfully, but these errors were encountered: