[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] simple DoS against SKS's HKP interface
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Sks-devel] simple DoS against SKS's HKP interface |
|
Date: |
Tue, 20 Mar 2012 01:00:32 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20120125 Icedove/9.0.1 |
On 03/20/2012 12:22 AM, Pacal Mayan wrote:
would implementing an accept filter help? i.e., accf_data or accf_http
on the socket?
I'm assuming you're talking about [0], which i think is FreeBSD only,
right? i'd never seen this sockopt before, thanks for pointing it out!
I haven't tested it myself, but my guesswork-analysis follows.
The documentation there says:
If something other than a HTTP/1.0 or HTTP/1.1 HEAD or GET request is
received the kernel will allow the application to receive the connection
descriptor via accept().
Since SKS needs to be able to deal with POSTs on its HKP port (key
uploads), i think an attacker would just need to initiate an HTTP POST
request to cause the kernel to hand off the socket to the process (and
thereby lock it up).
So, if you're running FreeBSD, using accf_http would probably help to
reduce the incidence of accidental DoS from bandwidth-constrained
clients doing GETs, it doesn't seem to offer much more protection
against malicious exploitation.
I still think the reverse proxy is the best workaround proposed thus
far, but setting accf_http and lowering wserver_timeout are both
probably better choices than leaving a public-facing SKS server in the
default configuration.
Regards,
--dkg
[0] http://nixdoc.net/man-pages/FreeBSD/man9/accf_http.9.html