NETStandard doesn't pass UACTT DoS attack test

[Siyuan-Xu-Wapice]

Type of issue

• Bug
• Enhancement
• Compliance
• Question
• Help wanted

Current Behavior

The NETStandard Stack doesn't comply with UCATT Security Test:

• Dos attempt by consuming Channels
• Dos attack 2 consume SecureChannels, but CreateSessions in some.

Configuration:
ReferenceServer:
MaxChannel: 76
MaxSession: 75

When the stack doesn't behave according to the OPCUA Specification, all the servers created by the stack would suffer from the same security exploit.

Expected Behavior

According to OPC UA Specification Core/Part4/v105/docs/5.6.2:
"To protect against misbehaving Clients and denial of service attacks, the Server shall close the oldest unused SecureChannel that has no Session assigned before reaching the maximum number of supported SecureChannels. When Session-less Service invocation is done through a transport mapping that requires the OpenSecureChannel Service, the Server shall maintain a last used time for the SecureChannel to detect the oldest unused SecureChannel."

Steps To Reproduce

1. Configure the ReferenceServer.config.xml:
   75
   76
2. Setup UACTT project and copying the required certificates to the ReferenceServer's PKI directory.
3. Manual select the tests:
   • Conformance Units -> Security -> Security None
   • Conformance Units -> Security -> Security Aes256-Sha256-RsaPss
4. Run Test and observe the results.

Environment

- OS:Windows 10/11
- Environment:
- Runtime: .NET8 and .NETFramework 4.8
- Nuget Version: 1.5.375.443
- Component:
- Server: ConsoleReferenceServer
- Client: UACTT 1.04.11-01.00.508 (Windows Build)

Anything else?

No response

[Siyuan-Xu-Wapice]

Hello, @mrsuciu. I noticed the bug tag was added then removed from this issue. Is there any update?

[mrsuciu]

Hello @Siyuan-Xu-Wapice, the issue is under investigation.

The server does have a stale channel cleaning mechanism but it is triggered periodically by a timer at an interval of configured ChannelLifetime / 2 and the channel is considered "unused" when the last activity registered is older than ChannelLifetime.

On which CTT version have the tests been ran ?
Did you modify both the CTT settings session and channel max values and the server's configured MaxSessionCount and MaxChannelCount ?
Which nugget version do you use ?

[Siyuan-Xu-Wapice]

Hello, Thank you Suciu for replying and explaining the channel cleaner mechanism.
I have the latest Windows build of UACTT version 1.04.11-01.00.508. The test environment were both Windows 10 and 11.
Yes, I configured both UACTT Project and Reference Server/our server (developed by using OPCF'S NET Stack) to have MaxSession=75, MaxChannel = 76.
The nuget version is the latest stable: 1.5.375.443

I noticed that the default ChannelLifetime is set to 300,000 ms, and the UACTT DoS attack 2 test did not wait for half of the channel life timespan. A malicious actor with a trusted ApplicationCertificate could exploit this by continuously creating SecureChannels without establishing a session. The ChannelLifetime/2 cleanup mechanism would be useless in defending the server against such an attack.

[mrsuciu]

@Siyuan-Xu-Wapice I ran the tests individually for the None profile in debug mode and passed with the attached PR.

[Siyuan-Xu-Wapice]

@mrsuciu Wonderful! Great efficient work, thanks for the efforts!
Can you help me with a couple of more questions:

1. What's OPCF's normal release cycle of Nuget packages, and when will this PR go to the Release?
2. What's the official term for OPCF's OPCUA development packages, I am using Stack, SDK, Library interchangeably, would be nice to learn the proper name.