[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] simple DoS against SKS's HKP interface :/
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Sks-devel] simple DoS against SKS's HKP interface :/ |
|
Date: |
Sun, 18 Mar 2012 21:25:44 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20120125 Icedove/9.0.1 |
On 03/18/2012 10:36 AM, MailFighter.net Admin wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 03/13/2012 06:08 PM, Daniel Kahn Gillmor wrote:
It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS attack
by a client
holding open a network connection without completing an HTTP request.
Sounds just like the kind of vulnerability that was present in most http
services during the
slowloris era. I'm pretty sure the same tools can be used to attack sks's hkp
interface.
I'm afraid it's way worse than the slowloris attack, assuming you're
talking about [0]. slowloris was about exhausting the maximum number of
clients that could be connected (usually on machines configured with a
100 or so MaxClient limit). with sks (in its 1.1.1 implementation at
least), the effective maximum concurrent client count is exactly 1. :(
If you could share your nginx configuration, others will probably adapt it to
lighttpd, apache...
I know, it's not big science, but to get the ball rolling :)
Sure thing. First, remember that /etc/sks/sksconf has:
hkp_address: 127.0.0.1
So it is still listening on the default port (11371), but only on the
loopback interface.
My goal is to offer public-facing HTTP service on the usual port 80, and
on the HKP port, and on port 443 for HKPS.
So my nginx configuration stanzas are:
-------------------
server {
listen 209.234.253.170:11371;
listen 80;
server_name keys.mayfirst.org;
access_log off;
location / {
proxy_pass http://localhost:11371/;
}
}
server {
listen 443;
server_name zimmermann.mayfirst.org;
ssl on;
ssl_certificate /etc/ssl/keys-m.o.crt;
ssl_certificate_key /etc/ssl/private/keys.m.o-key.pem;
ssl_ciphers HIGH:MEDIUM:!ADH;
access_log off;
location / {
proxy_pass http://localhost:11371/;
}
}
-------------------
Note that you'll need to modify the IP address in the first line, and
the server_name directives to match your own setup (and you'll have to
indicate the right paths to your X.509 certificate and secret key if
you're offering hkps access.
Feel free to ask on-list if you're having trouble with nginx as a
frontend for sks.
hth,
--dkg
[0] https://en.wikipedia.org/wiki/Slowloris
- [Sks-devel] simple DoS against SKS's HKP interface :/, Daniel Kahn Gillmor, 2012/03/13
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, MailFighter.net Admin, 2012/03/18
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/,
Daniel Kahn Gillmor <=
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Kristian Fiskerstrand, 2012/03/19
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Daniel Kahn Gillmor, 2012/03/19
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Kristian Fiskerstrand, 2012/03/19
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Daniel Kahn Gillmor, 2012/03/19
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Phil Pennock, 2012/03/21
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Kristian Fiskerstrand, 2012/03/25
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Daniel Kahn Gillmor, 2012/03/25
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Kristian Fiskerstrand, 2012/03/25
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Peter Kornherr, 2012/03/20
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Peter Kornherr, 2012/03/20