If I’m not mistaken the mainline bitcoind will settle for unsolicited addr messages, and upon receiving this message – the struct is deserialized, after which confirm every handle from the unsolicited sender. The addr struct permits for as much as 1,000 arbitrary addresses:port tuples and there is not a port restriction… so what precisely is stopping an attacker from flooding the 100k or so Bitciond nodes with the handle to some goal net servers on 80 and 443?
…To make issues extra abusable, the consumer knowingly accepts info drafted sooner or later, and can retry 3 times whatever the error – even on a protocol mismatch. Which means that flooding a control-plane service like sshd or a vpn and even a whole IP vary of providers might trigger numerous issues for a goal entity with a big community footprint.
The same situation to this was exploited on the DC++ community.
