fastd UDP Traffic Amplification Vulnerability via Fast Reconnect Feature

A UDP traffic amplification vulnerability has been identified in fastd, a VPN daemon, prior to version 23. When fastd receives a data packet from an unknown IP address or port, it mistakenly assumes that a connected peer has changed addresses. This triggers a 'fast reconnect' by sending a handshake packet, which amplifies the traffic. Even a 1-byte UDP packet can cause a response of approximately 150 bytes, creating an amplification factor of about 12-13. This vulnerability could be exploited to facilitate a Distributed Denial of Service (DDoS) attack by sending spoofed packets to fastd instances over the internet.

Impact

The vulnerability allows for UDP traffic amplification, which could be used to conduct a Distributed Denial of Service (DDoS) attack.

Reproduction

The vulnerability can be reproduced by sending UDP packets with a spoofed source address to a fastd instance that is reachable over the internet. The packets should be directed to a UDP port that the fastd instance is listening on. Once the fastd instance receives the packet, it will initiate a fast reconnect by sending a handshake packet back to the address from which the spoofed packet was sent. This process amplifies the UDP traffic by approximately 12-13 times, creating a larger volume of outgoing traffic that can be used to disrupt services.

Remediation

Users can upgrade to fastd version 23, which includes several mitigations for this vulnerability. Instructions for upgrading can be found in the fastd repository on GitHub.