Search Unity

  1. Unity 6 Preview is now available. To find out what's new, have a look at our Unity 6 Preview blog post.
    Dismiss Notice
  2. Unity is excited to announce that we will be collaborating with TheXPlace for a summer game jam from June 13 - June 19. Learn more.
    Dismiss Notice

Resolved Buffer Overflow Attack - how to prevent it?

Discussion in 'Unity Transport' started by MariuszKowalczyk, Mar 17, 2023.

  1. MariuszKowalczyk

    MariuszKowalczyk

    Joined:
    Nov 29, 2011
    Posts:
    301
    Correct me if I am wrong as when it comes to networking I mostly have experience with a higher level of abstraction than Transport offers.

    I would like to ask how to prevent buffer overflow attacks, when someone sends as many packets as possible to overflow the buffer (which are probably very easy to prepare, just create a Unity app that sends as many packets as possible without any limitation). The default value of ReceiveQueueCapacity is now 512, but even if I would make it very high (which I will) it will only make the attack harder.

    The solution to this would be to have a separated queue for every connection. Then if someone would attempt the attack he would only overflow his own buffer/queue. I am not sure if something like this is possible to implement by unity Transport team. Buf if it is possible I think it would be great if it would be implemented.

    Or if not per connection queue (which may make the memory usage less optimal), then maybe some per connection packet limit that will be executed on the receiving side? If more than x packets from a certain connection would be already in the queue, the next packets would be dropped.

    If it is not possible, is there any solution to prevent the buffers/queues from being overflowed on purpose?

    I would appreciate an answer, thank you.
     
    Last edited: Mar 17, 2023
  2. simon-lemay-unity

    simon-lemay-unity

    Unity Technologies

    Joined:
    Jul 19, 2021
    Posts:
    441
    Ultimately, the transport package is not at the right layer to effectively protect against denial-of-service attacks. Even with per-connection receive queues, a malicious user could still stage attacks to overflow the OS buffers (with the default UDP-based connections, all connections share the same socket and thus the same OS buffers). The best tools to deal with such attacks are either at the OS level (e.g. ban IPs if they go over a certain rate limit) or at the network infrastructure level.
     
  3. MariuszKowalczyk

    MariuszKowalczyk

    Joined:
    Nov 29, 2011
    Posts:
    301
    Thank you for the answer.