Re: [Sks-devel] simple DoS against SKS's HKP interface :/

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] simple DoS against SKS's HKP interface :/

From:	John Clizbe
Subject:	Re: [Sks-devel] simple DoS against SKS's HKP interface :/
Date:	Mon, 23 Apr 2012 22:16:02 -0500
User-agent:	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.20pre) Gecko/20110606 Mnenhy/0.8.5 SeaMonkey/2.0.15pre

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1,SHA256

Johan van Selst wrote:
> Daniel Kahn Gillmor wrote:
>> Fix?
>> ----
>> I'm afraid i don't know ocaml at all, so i don't have a proposed fix.
>> It seems to be related to the event loop model on the sks db process,
>> though.  Looking at it from a system call level: either sks should be
>> multi-threaded, or reads from network sockets should be non-blocking,
>> and bundled into an aggregate select() statement so that concurrent
>> requests can be properly interleaved.
> 
> This seems to be the best way forward. Is anybody on this list actually
> looking into the suggested solution? Most people here, myself included,
> don't seem to be very fluent in OCaml programming. But I would
> definately appreciate it if somebody could look into this and come up
> with a real fix, rather than best-practice workarounds with reverse
> webproxies.

Oddly, I was looking at a different problem last night and noticed this
snippet appearing twice in wserver.ml:

188-189
let rec parse_headers map cin =
  let line = input_line cin in (* DOS attack: input_line is unsafe on
sockets *)

201-202
let parse_request cin =
  let line = input_line cin in (* DOS attack: input_line is unsafe on
sockets *)

So, it would appear to my barely apprentice level OCaml, that our
solution lies in a socket-safe implementation of input_line

- -John
- -- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:address@hidden
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12-git-509fe4ce-2012-01-31 (Windows XP)
Comment: When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Comment: Be part of the £7 ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPlhrvAAoJECMTMVxDW9A0P7AH/RnE96vobo4zm8t+jsD2U0HA
VH7aIqXPn95DNedG8kl8bbIjRkQFH/JdmTVcE0MMAuKS5B1MGKrdiyjOdpDDebZE
bjN9kgj9laiWXybY2Q9JAdDBXRsyCpeQPOiUCs5xoHL4NbWP61r3D37wRXssfWOL
WZhfNWanFJdUltFE3Mct9mezxa+XqQJSl8lfNkcNlZk8TORPEwo7SG/iTcPeAjKL
yiAPlZyNj63Ynkj9G/v3C5NJocVjhsXOGjK99QAVaCyGGK/PypBvE+RlSLF1O9gA
gRmsSrCWTIlRdCynyrqY5TraJaxCAH47TukDtP4suIep/FU63zktM72FV/jGNlaI
XgQBEQgABgUCT5Ya7wAKCRDrXhnz1laYJae/AP92fyLBNwIrucpWLAex1/k9FqOW
8vkvWhOQ1h+rR9DCSQD7BWesAuVLqjWo0z4bgvhDhYzqWX+6nGo2qTnNiNYd1Iw=
=1nMU
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Johan van Selst, 2012/04/23
- Re: [Sks-devel] simple DoS against SKS's HKP interface :/, John Clizbe <=
  - Re: [Sks-devel] simple DoS against SKS's HKP interface :/, Kim Minh Kaplan, 2012/04/25

Prev by Date: Re: [Sks-devel] SKS debian package
Next by Date: Re: [Sks-devel] simple DoS against SKS's HKP interface :/
Previous by thread: Re: [Sks-devel] simple DoS against SKS's HKP interface :/
Next by thread: Re: [Sks-devel] simple DoS against SKS's HKP interface :/
Index(es):
- Date
- Thread