Client security using UDP

Question

Introduction

I am currently trying to build up a networking layer for Unity from scratch. Currently I am testing the communication via UDP using Node.js for the server and the client. However I guess the language of the implementation will not matter for what I am asking for.

I actually only read about security related things at the server side. But due to I need other people to help me testing what I am creating I really need to be sure that they won't be harmed in any way.

Current approach

The current approach using Node.js for the server and the client is pretty basic. I simply send a message from a client to my server while the client and the server are not in the same local network. Both are behind a router and therefore also behind a NAT.

The server then sends back an answer to the IP and port received within the UDP packet that was sent from the client.

Problem

I am curious about the security on the client side regarding malicious data sent by somebody that is spoofing the client and/or NAT. Also I am not sure about if the fact that my application is opening ports on the client machines and routers might be used for something malicious.

Assumption

So far I figured out that malicious data might in fact be a problem at the application level. Also I figured out that it is not a security issue when my application opens ports (locally at the clients machine and then when sending within the clients router) or at least I cannot do anything against it.

So in sumary this would mean that I only need to protect the client on OSI layers greater than 4 (within the application). Anything less than or equal to OSI layer 4 doesn't need to be made more secure by myself.

Question

So is my assumption correct? If so what am I able to do against malicious data?

https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security — paj28, Mar 27 '17 at 20:13
Wow, thanks! I did not even know something like that exists. I will take a look at it. — Bee, Mar 27 '17 at 20:21

score 1 · Answer 1 · answered Mar 28 '17 at 11:05

1

This should be a comment, but it's a bit long.

security on the client side

...is totally dependent on the application itself (which, within the context of the question, we don't need to know about/discuss) and the firewall/NAT (which you've told us nothing about).

I figured out that it is not a security issue when my application opens ports

Really? Increasing the attack surface does not affect the security?

or at least I cannot do anything against it

Try harder.

That you are using UDP across a WAN or the internet (between 2 fixed points) rather implies that:

1) the application uses very little bandwidth

2) low latency is critical

Hence, TLS or a challenge based authentication step would undermine these 2 requirements. This rather implies that you should be using a one time pad both to authenticate the requests and to protect against MITM.

answered Mar 28 '17 at 11:05

symcbean

18,278
39
73

The application itself currently is nothing more than the samples from the Node.js docs. Server and Clients do nothing more than binding to a port and then listening for incomming messages and print the message afterwards. I really don't know if this is a secure application already or if I have to do something (which I have no idea about yet) about it. I was told there might be problems when a MITM sends malicious data. I actually called it "opens ports" but I am actually not sure if that is even true for my application. I just want to make sure people that test won't get harmed in any way. – Bee Mar 28 '17 at 16:43
I actually forgot to talk about your last point. The thing that is most important to me is low latency due to I also want to be able to realize fast-paced multiplayer games. So it is not only low latency that matters but also the unordered and non-reliable delivery. – Bee Mar 28 '17 at 16:47