[zeromq-dev] Curve: Potential DoS with error commands ?

Diego Duclos diego.duclos at palmstonegames.com
Thu Jul 3 20:15:31 CEST 2014


I've been reading up the Curve spec with more detail, and the way the error
packet currently works caught me by surprise. Couldn't a crafted TCP packet
with an error command be sent to a client ? Tricking it into thinking the
server has denied it's credentials when it has done no such thing ?
This allows someone with the ability to listen in but not block packets to
do denial of service, which wouldn't be the case if the error packet was
authenticated & encrypted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140703/8a51ab85/attachment.htm>


More information about the zeromq-dev mailing list