[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] simple DoS against SKS's HKP interface :/
|
From: |
Kim Minh Kaplan |
|
Subject: |
Re: [Sks-devel] simple DoS against SKS's HKP interface :/ |
|
Date: |
Wed, 25 Apr 2012 08:40:13 +0000 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) |
John Clizbe writes:
> Oddly, I was looking at a different problem last night and noticed this
> snippet appearing twice in wserver.ml:
>
> 188-189
> let rec parse_headers map cin =
> let line = input_line cin in (* DOS attack: input_line is unsafe on
> sockets *)
>
> 201-202
> let parse_request cin =
> let line = input_line cin in (* DOS attack: input_line is unsafe on
> sockets *)
>
> So, it would appear to my barely apprentice level OCaml, that our
> solution lies in a socket-safe implementation of input_line
I suspect it is more involved and that here all that "unsafe" really
means is that it can block. But you can not really avoid this blocking
with TCP: it is a consequence of the reliability it provides. All the
solutions for handling this blocking phenomenon will involve multiple
simultaneous sockets handling and therefore either multiprocessing or
select-like interface... That is Daniel Kahn Gillmor's suggestion. Also
note that blocking can also occur during writes so prints are also
"unsafe".
Installing a proxy to handle all this sounds like the easiest way to go.
But I do not know enough about those to be certain that they handle all
cases of blocking. I'm specifically wary about malicious slow POST and
prints.
--
Kim Minh