Description

Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning

Summary

A composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — all exercisable from a single TCP connection — to create a monotonically growing block deficit that never self-heals.

Severity

Critical — This is a Denial of Service vulnerability that requires no authentication, no special privileges, and only a single peer connection. The halt is permanent: the node will never recover without operator intervention.

Affected Versions

All Zebra versions prior to 4.4.0.

Description

Zebra discovers new blocks through two complementary paths: a gossip path (peers announce blocks via inv messages, triggering individual block downloads) and a syncer path (Zebra periodically queries peers with FindBlocks/FindHeaders to discover chains of missing blocks). Both paths must function for normal operation.

The gossip path was vulnerable because there was no per-connection rate limit on inv messages. A single connection could send enough sequential inv messages with fake block hashes to fill the entire gossip download queue in under a millisecond. The FullQueue return value was silently ignored, so legitimate block announcements from honest peers were dropped with no warning.

The syncer backup path could be degraded by responding with empty inv to FindBlocks requests and with NotFound to block download requests. Both are valid protocol responses that carried zero misbehavior penalty. The attacker's connection was never banned and never disconnected, allowing the degradation to persist indefinitely.

Combining these two vectors, an attacker could suppress both block discovery paths simultaneously from a single connection, causing the node to fall permanently behind the chain tip.

Impact

Denial of Service

Attack Vector: Network, unauthenticated. Requires only a single TCP peer connection.

Effect: Permanent halt of block discovery. The targeted node falls behind the chain tip and never recovers without operator intervention.

Scope: Any Zebra node reachable by the attacker over the peer-to-peer network.

Fixed Versions

This issue is fixed in Zebra 4.4.0.

The fix drops connections that send empty responses to FindBlocks and FindHeaders messages, preventing attackers from degrading the syncer path without consequence.

Mitigation

Users should upgrade to Zebra 4.4.0 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to protect against this attack.

Credits

Zebra the researcher who reported this issue through the coordinated disclosure process.

Aliases

References