diff --git a/ChangeLog b/ChangeLog index 04304efaf..bbd4fc532 100644 --- a/ChangeLog +++ b/ChangeLog @@ -66,6 +66,7 @@ incoming connection * added more detailed instrumentation of the disk I/O thread + * avoid connecting to peers listening on ports < 1024 * optimized piece picking to not cause busy loops in some end-game modes * fixed python bindings for tcp::endpoint * fixed edge case of pad file support diff --git a/include/libtorrent/session_settings.hpp b/include/libtorrent/session_settings.hpp index f073cd772..5561d7dc7 100644 --- a/include/libtorrent/session_settings.hpp +++ b/include/libtorrent/session_settings.hpp @@ -254,6 +254,7 @@ namespace libtorrent , announce_double_nat(false) , torrent_connect_boost(10) , seeding_outgoing_connections(true) + , no_connect_privileged_ports(true) {} // libtorrent version. Used for forward binary compatibility @@ -1014,6 +1015,11 @@ namespace libtorrent // making outgoing connections is costly and known to not // add any benefits bool seeding_outgoing_connections; + + // when this is true, libtorrent will not attempt to make outgoing + // connections to peers whose port is < 1024. This is a safety + // precaution to avoid being part of a DDoS attack + bool no_connect_privileged_ports; }; #ifndef TORRENT_DISABLE_DHT diff --git a/src/policy.cpp b/src/policy.cpp index 338c62f8b..b6f428c92 100644 --- a/src/policy.cpp +++ b/src/policy.cpp @@ -557,6 +557,10 @@ namespace libtorrent aux::session_impl const& ses = m_torrent->session(); if (ses.m_port_filter.access(p.port) & port_filter::blocked) return false; + + if (ses.m_settings.no_connect_privileged_ports && p.port < 1024) + return false; + return true; } @@ -1180,6 +1184,13 @@ namespace libtorrent return 0; } + if (ses.m_settings.no_connect_privileged_ports && remote.port() < 1024) + { + if (ses.m_alerts.should_post()) + ses.m_alerts.post_alert(peer_blocked_alert(m_torrent->get_handle(), remote.address())); + return 0; + } + // if the IP is blocked, don't add it if (ses.m_ip_filter.access(remote.address()) & ip_filter::blocked) {