Prevent DOS attack on UDP echo servers by distinguishing between an echo request

net/tools/testserver/testserver.py

 #!/usr/bin/python2.4
 # Copyright (c) 2011 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""This is a simple HTTP/FTP/SYNC/TCP ECHO/UDP ECHO/ server used for testing
-Chrome.
+"""This is a simple HTTP/FTP/SYNC/TCP/UDP/ server used for testing Chrome.
 
 It supports several test URLs, as specified by the handlers in TestPageHandler.
 By default, it listens on an ephemeral port and sends the port number back to
 the originating process over a pipe. The originating process can specify an
 explicit port if necessary.
 It can use https if you specify the flag --https=CERT where CERT is the path
 to a pem file containing the certificate and private key that should be used.
 """
 
 import asyncore
 import base64
 import BaseHTTPServer
 import cgi
 import errno
 import optparse
 import os
+import random
 import re
 import select
 import simplejson
 import SocketServer
 import socket
 import sys
 import struct
 import time
 import urlparse
 import warnings
 import zlib
 
 # Ignore deprecation warnings, they make our output more cluttered.
 warnings.filterwarnings("ignore", category=DeprecationWarning)
 
+import echo_message
 import pyftpdlib.ftpserver
 import tlslite
 import tlslite.api
 
 try:
   import hashlib
   _new_md5 = hashlib.md5
 except ImportError:
   import md5
   _new_md5 = md5.new
@@ skipping 1438 matching lines @@
 
 
 class TCPEchoHandler(SocketServer.BaseRequestHandler):
   """The RequestHandler class for TCP echo server.
 
   It is instantiated once per connection to the server, and overrides the
   handle() method to implement communication to the client.
   """
 
   def handle(self):
-    data = self.request.recv(65536)
-    if not data:
+    """Handles the request from the client and responds back with a response."""
+
+    data = self.request.recv(65536).strip()
+    # Verify the "echo request" message received from the client. Send back
+    # "echo response" message if "echo request" message is valid.
+    try:
+      return_data = echo_message.GetEchoResponseData(data)
+      if not return_data:
         return
-    self.request.send(data)
+    except ValueError:
+      return
+
+    self.request.send(return_data)
 
 
 class UDPEchoHandler(SocketServer.BaseRequestHandler):
   """The RequestHandler class for UDP echo server.
 
   It is instantiated once per connection to the server, and overrides the
   handle() method to implement communication to the client.
   """
 
   def handle(self):
+    """Handles the request from the client and responds back with a response."""
+
     data = self.request[0].strip()
     socket = self.request[1]
-    socket.sendto(data, self.client_address)
+    # Verify the "echo request" message received from the client. Send back
+    # "echo response" message if "echo request" message is valid.
+    try:
+      return_data = echo_message.GetEchoResponseData(data)
+      if not return_data:
+        return
+    except ValueError:
+      return
+    socket.sendto(return_data, self.client_address)
 
 
 class FileMultiplexer:
   def __init__(self, fd1, fd2) :
     self.__fd1 = fd1
     self.__fd2 = fd2
 
   def __del__(self) :
     if self.__fd1 != sys.stdout and self.__fd1 != sys.stderr:
       self.__fd1.close()
@@ skipping 46 matching lines @@
     server._device_management_handler = None
     server.policy_keys = options.policy_keys
     server.policy_user = options.policy_user
   elif options.server_type == SERVER_SYNC:
     server = SyncHTTPServer(('127.0.0.1', port), SyncPageHandler)
     print 'Sync HTTP server started on port %d...' % server.server_port
     print 'Sync XMPP server started on port %d...' % server.xmpp_port
     server_data['port'] = server.server_port
     server_data['xmpp_port'] = server.xmpp_port
   elif options.server_type == SERVER_TCP_ECHO:
+    # Used for generating the key (randomly) that encrypts the "echo request"
+    # message.
+    random.seed()
     server = TCPEchoServer(('127.0.0.1', port), TCPEchoHandler)
     print 'Echo TCP server started on port %d...' % server.server_port
     server_data['port'] = server.server_port
   elif options.server_type == SERVER_UDP_ECHO:
+    # Used for generating the key (randomly) that encrypts the "echo request"
+    # message.
+    random.seed()
     server = UDPEchoServer(('127.0.0.1', port), UDPEchoHandler)
     print 'Echo UDP server started on port %d...' % server.server_port
     server_data['port'] = server.server_port
   # means FTP Server
   else:
     my_data_dir = MakeDataDir()
 
     # Instantiate a dummy authorizer for managing 'virtual' users
     authorizer = pyftpdlib.ftpserver.DummyAuthorizer()
 
@@ skipping 106 matching lines @@
                            'random key if none is specified on the command '
                            'line.')
   option_parser.add_option('', '--policy-user', default='user@example.com',
                            dest='policy_user',
                            help='Specify the user name the server should '
                            'report back to the client as the user owning the '
                            'token used for making the policy request.')
   options, args = option_parser.parse_args()
 
   sys.exit(main(options, args))