What could a malicious discovery or relay server do?

The discovery server sees the device ID (the hash of the private certificate) and the IP address of each device, so this server knows which IP address is talking to which IP address using Synchting. The discovery server doesn’t exchange data, and even if it does, as in the relay server, the data is end to end encrypted, and cannot be accessed.

These servers can be run by anyone on the public Internet. It’s plausible to assume that some of them are malicious.

What kind of attacks are possible? How much is the attack surface?

For example, a malicious server could send a cleverly crafted packet. Which code in Synchting handles this packet?

The certificate isn’t really “private”. It can be seen by anyone listening on the wire and contains a public key. Though in general your assessment is correct.

I’m assuming you’re referring to the relay servers here. The discovery servers syncthing uses by default are run only by the Syncthing Foundation (they can be changed to self-hosted ones in the settings).

The obvious and realistic attack for both malicious discovery server and relay servers is denial of service: A relay server can refuse to relay data, hence preventing successful sync. A discovery server can refuse to hand out connection information (or hand out wrong information, which is equivalent), also preventing sync.

Other than that, there isn’t anything possible without an explicit security vulnerability.

For relay servers, most of the data transferred is TLS-encrypted between the two syncthing peers. A relay server trying to inject or modify data packets would immediately fail data authentication in golang’s TLS implementation and the connection would be shutdown.

There is an exception though: The syncthing peer also has to exchange control information with the relay server itself. This data is, perhaps confusingly, also TLS encrypted, but in this case the relay server is the other end of the connection and hence can read the plain data. A security vulnerability in the relay protocol or its implementation might have more severe consequences. However, note that syncthing is written in Go, a memory safe language, which automatically prevents many common software vulnerabilities such as buffer overflow attacks. There has been one reported security vulnerability in the relay protocol implementation in the past, resulting in a client crash without data leaks.

The discovery server speaks HTTPS with the syncthing client. The implementation is golang’s standard HTTP client. Only connection metadata is exchanged via it. Its primary point of concern is privacy, since it can track IP addresses over a period of time (possibly geoprofiling users).

The TLS and http implementations used in syncthing are both widely used and were written by security professionals working for Google.