|
| From: | Daniel Kahn Gillmor |
| Subject: | Re: [Sks-devel] simple DoS against SKS's HKP interface :/ |
| Date: | Sun, 18 Mar 2012 22:57:09 -0400 |
| User-agent: | Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20120125 Icedove/9.0.1 |
Hi John-- Thanks for looking into this. On 03/18/2012 09:46 PM, John Clizbe wrote:
The default setting for wserver_timeout is 180 seconds. Does setting it to a lower value in sksconf help?
I just tested with 10 instead of 180.if i revert my nginx changes and allow sks back to listening on public ports, set wserver_timeout: 10 in /etc/sks/sksconf, and restart the sks daemons, then yes: a single malingering connection can only block the server for 10 seconds instead of 180 seconds.
The downside of this, of course, is that bandwidth-constrained clients (like the one i mentioned earlier as performing an accidental DoS) will probably just fail in their connections, however, since their tcp streams are often stuttered with pauses >= 10 seconds.
So wserver_timeout: 10 is something of an improvement over the default of 180, but it introduces its own problems. And the bar for a malicious attacker isn't significantly raised -- they just need to make a new request every 10 seconds instead of every 180 seconds, since the settings change doesn't address the underlying concurrent requests issue).
As workarounds go, i think a reverse HTTP proxy is a better workaround, but setting "wserver_timeout: 10" is probably a worthwhile improvement if there's some reason that folks can't afford to just "apt-get install nginx" (or whatever the equivalent is for your OS or your reverse proxy of choice) immediately.
Regards,
--dkg
| [Prev in Thread] | Current Thread | [Next in Thread] |