Fedora 40 fastd 2025-29fc4fefd5 Low: UDP amplification attack

fastd is a secure tunneling daemon with some unique features:

- Very small binary (about 100KB on OpenWRT in the default configuration,

including all dependencies besides libc)

- Exchangable crypto methods

- Transport over UDP for simple usage behind NAT

- Can run in 1:1 and 1:n scenarios

- There are no server and client roles defined by the protocol, this is just

defined by the usage.

- Only one instance of the daemon is needed on each host to create a full mesh

If no full mesh is established, a routing protocol is necessary to enable

hosts that are not connected directly to reach each other

This release contains a number of small improvements and bugfixes, including mitigations for the LOW severity vulnerability CVE-2025-24356. Bugfixes Add mitigations for fast-reconnect amplification attacks When receiving a data packet from an unknown IP address/port combination, fastd will assume that one of its connected peers has moved to a new address (for example due to internet lines with dynamic IP, or roaming between WWAN and a local internet connection) and initiate a reconnect by sending a handshake packet. This “fast reconnect” avoids having to wait for a session timeout (up to ~90s) until a new connection is established. Even a 1-byte UDP packet just containing the fastd packet type header can trigger a much larger handshake packet (~150 bytes of UDP payload). With fastd v22, this number is doubled, because two handshakes are sent (one in a pre-v22-compatible format and one in a new L2TP-style format). Including IPv4 and UDP headers, the resulting amplification ...