From f55748a4225e55229fd8f8c9823477ac18ff5701 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Thu, 23 May 2024 16:07:16 +0200 Subject: [PATCH] MAJOR: config: prevent QUIC with clients privileged port by default Previous commit introduce new protection mechanism to forbid communications with clients which use a privileged source port. By default, this mechanism is disabled for every protocols. This patch changes the default value and activate the protection mechanism for QUIC protocol. This is justified as it is a probable sign of DNS/NTP amplification attack. This is labelled as major as it can be a breaking change with some network environments. --- doc/configuration.txt | 4 +++- src/haproxy.c | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index ef0cf8ea2..8f58d40e2 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1950,7 +1950,9 @@ harden.reject-privileged-ports.tcp { on | off } harden.reject-privileged-ports.quic { on | off } Toggle per protocol protection which forbid communication with clients which use privileged ports as their source port. This range of ports is defined - according to RFC 6335. Protection is inactive by default on both protocols. + according to RFC 6335. By default, protection is active for QUIC protocol as + this behavior is suspicious and may be used as a spoofing or DNS/NTP + amplification attack. http-err-codes [+-][,...] [...] Replace, reduce or extend the list of status codes that define an error as diff --git a/src/haproxy.c b/src/haproxy.c index 30df816ff..c987fdbfa 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -210,8 +210,8 @@ struct global global = { .maxsslconn = DEFAULT_MAXSSLCONN, #endif #endif - /* by default do not protect against clients using privileged port */ - .clt_privileged_ports = HA_PROTO_ANY, + /* by default allow clients which use a privileged port for TCP only */ + .clt_privileged_ports = HA_PROTO_TCP, /* others NULL OK */ };