[mschempp]

Hi Tepix. Im the author of the tool.

Thanks for the feedback! It doesn't describe how it prevents that attack, because it doesn't prevent this attack :).

As someone else wrote, I could put the IP address of the sender into the encrypted data and validate that in the backend and drop the packet + block the IP address.

I will add that in the next release!

[Tepix]

No that won't work because the sender doesn't know what the src ip of the packet will be by the time it arrives (NAT is everywhere!)

[mschempp]

the client COULD use something like https://www.ipify.org/ to get the IP, which can then be used as an additional client argument.

But if an adversary uses the SAME network, then the IP address that the server sees will be the same for the client and the adversary, so it only matters if the adversary takes the packet and sends it from a different network, which the adversary won't have to do, because they still control the network where the packet was originally sent from.