[squid-users] How to avoid Squid disclosing the origin server IP when there is an error
Xen
xen at dds.nl
Sun Sep 27 09:46:36 UTC 2015
Again, impressed by your knowledge. But I'm not really arguing against
your knowledge. It is basically a principle choice to /call/ one thing
security and the other privacy based on the impression or experience that
the one thing provides actual defenses or benefits in certain common
scenario's and the other doesn't. Perhaps that is pertinent to software
security, but in that case it is a very specific field and you are going
to define "security" in a very constrained way.
Basically, it is then more of a normative statement "what do me and my
buddies consider good enough" rather than a statement of definition.
You are basically arguing that in (all) real world scenarios (of
software/web/server security) the obscurity thing tends to converge on
irrelevance. But even that is true, it is still not a defining
characteristic, so to speak.
And I am just not that experienced in securty. I barely know about side
channel attacks because I did read one paper on a memory access (latency)
"localhost" attack on I believe OpenSSH or something that required a local
account to manipulate cache hits/misses.
And my math was just not up to par to understand it :p.
But I must say the way they narrowed down the possible set (or chains) of
keys based on known information was very interesting.
On Sun, 27 Sep 2015, Amos Jeffries wrote:
>>> 1) security by obscurity does not work.
>>
>> Seriously, that is just dogma being repeated over and over by people
>> who just heard it one time and accepted it as their own truth, without
>> really thinking it over. Security by obscurity works very well,
> This tells me you dont have much actual experience with security, or not
> low-level enough. Real experience with attacks and working on 0-day
> tools is better than even just "thinking it over". Thats what I based my
> statement on. Though I do adopt the industry phrase to get the idea
> across clearly.
But it's just not true. If all the world thinks that way and then devises
systems and setups where it is practically useless, then it is still not
true. Also, obscurity is not intended to defend against
single-point-of-interest attacks. Or anything that makes you a really
interesting target to those who already know you.
The point and the problem is that this industry phrase is a judgement that
really closes off thinking. You might even start missing out on
opportunies that might help you. I mean, to give this example again.
Perhaps it is not relevant when you have (or someone has) excellent
scanning tools and all that. But usually, in the physical world, and in
many many situations, thereof, there is certainly knowing or not knowing
"the terrain". If you know where you are, for example, but your pursuer
does not, it is obviously easier to escape. Now, if that pursuer was using
helicopters, satellites, automatic camera surveillances and analysis, and
tracking dogs to top it off :p, it would become a kind of different
situation.
So perhaps in (computer) security the status quo is that attackers and
defenders both have access to that level of sophistication in every
instance. And if information is almost never capable of being hidden,
well, then perhaps you'd better become a brick wall, or better yet, a
nuclear shelter.
In lesser situations though it becomes perfectly clear that if you know
how something works and someone else doesn't, you can use that to your
advantage. You may not want to call that "security" but I would call it
"escaping with my life".
There is something about masculine 'security' and feminine 'security'. The
one you are advocating is like masculine. Strong defenses. Not relying on
luck, or surrendering to the flow of things. Certainty at every level.
Guarantees. But often in life you also have to proceed based on confidence
and intuition alone, and you may need to trust that conditions will meet
where you want to be, when you get there.
If you are exposed anyway because you are a big business and all that,
there is already a design choice being made. Within certain choices
already having been made, the resulting 'security landscape' is also
informed by that choice or those choices.
Then, given that practical reality, you end up in a status quo where some
truths seem to hold. One of these conclusions may be "security by
obscurity is not security". But that still doesn't make it true. It makes
it dogma that is only true provided some well-established conditions
remain in force. That means it is not universal but more of a "rule of
fist" (Dutch phrase) -- a best practice or guideline you can always rely
on.
But it is actually a vulnerability. An attacker that is creative enough
will see your (that) (not wanting to insult here) fixed mindset and know
the blind spots that result from this fixation in thinking. This person
would think "hey, that's curious". "They left this possibility open". "It
just doesn't occur to them that anyone would do that".
I'm sorry, I was just like responding to that phrase alone, not
necessarily to this subject of CDN networks and this particular error
message, although the same holds true. My apologies.
It's just that that industry phrase, as you term it, is repeated so often
that even a security layman as myself must have heard it uttered at least
a dozen times in my own experience on mailing lists and perhaps more on
the web. It is a mantra, but the fact that people feel it needs to be
repeated constantly means that it doesn't come intuitive or instinctive.
And that means that in general people don't agree with it. These
disagreeing people are then called stupid in one way or another.
Sometimes you just have to stick to what makes sense intuitively to know
the real truth. Because you might learn something new that people
overlook.
And even if you know ...like nothing about security. You may still be able
to devise a better system. If you understand the fundamentals better. If
you can avoid the mistakes that were made prior to it. If you can unlock a
secret. If you can travel to the moon through a gateway no one knew about
;-).
> Not for sane security. For privacy. The two are different, though
> complimentary.
Then you (or the industry, as per you) has just reverted to calling the
masculine type of security "security" and the feminine type of security
"privacy" and warped both concepts in the process. It is more of a
statement as to what you consider "worthy" than that it is about what it
really is or comes down to.
All I know is that disregarding "privacy" can make you feel very /unsafe/.
I will agree that this is not the same as feeling "secure" or "insecure".
Security to my mind has more to do with having set up the required
prerequisites required to counter any attack or problem. Security then
revolves around feeling content that you have done what is necessary in
the event of something happening. Privacy is meant to make the likelihood
of that event happening, less or lower. Your situation can be extremely
"insecure" in that sense but you can still make it out "unscathed" due to
your level of privacy.
There is some line from some book about not telling your left hand what
your right hand knows, that pertains to this ;-).
> To take your analogy; walking into the town square keeping your mouth
> closed dressed in a cape and mask while someone is firing a machine gun
> all over the place will see you just as dead.
> They won't know who you are, but you'll still be dead.
If that is the environment you operate in, well, good luck :p.
Most of the time in the real (physical) world the situation is that there
are a lot of *potential* attackers (sometimes just about everyone) but
attack only happens as soon as you are 'identified'. Cloak and dagger
might not be that bad. I would agree that this is not an ideal situation
to have for a 'living' but in this condition your real 'security' is going
to be rather fragile regardless. You always need *some* level of "real"
security, even if it is nothing more than your hideout in the mountains. I
knew a guy who put traps in his vehicle and residences.
Person breaks into his car and starts to ignite it. But the ignition has
been altered and the chambre is flooded with a sleeping gas. ;-).
Real world too. They are just Russian. Someone broke into his "vacation
house" and the room automatically locked itself, flooded with water up to
neck level, and alerted the authorities automatically. I have had a rock
in my hands that was 3 billion years old. Andromeda :p.
You may not call that security but it sure works by obscurity ;-).
> But it does *not* tell that. HTTP is multi-hop. All the error message
> states is that 127.0.0.1 *somewhere* is unavailable. Good luck defining
> "somewhere".
> All it tells with certaintly is that there is at least one proxy
> operating. Attackers have zero information about whether that server is
> the origin server or just another proxy. They also dont have any info
> from that page about how many proxies down the chain the error was
> generated.
> Either way if erver X was the target they have to get to
> server X through the proxy they are already contacting and/or profiling,
> and cannot do so due to it being down and unavailable.
> It could as easily be one of these scenarios:
> <snip>
> Good luck if its the third one. Which is actually quite popular with all
> the major CDN.
Alright thanks for the information. I would still not be unhappy about
this information if I was interested in something.
> In a system relying on obscurity the effort required is near zero.
> System profiling takes under 10 HTTP messages and attack scan to find
> the obscured vulnerability takes however many needed to scan through
> CVE/0-day the attacker or their tools knows about for that combo of
> software.
Back in the day (I've read that book that Assange cooperated on) 'hackers'
were dealing with systems they knew nothing about, including how to
program for it. You can say that did not make it terribly secure as
eventually "they" found out. It did take a lot of effort though. When they
learned, the first wrote a port/host scanner on that system, and after a
time he came across a banking system that spewed out credit card
information on first connect. Nothing required. Completely and only
"protected" by obscurity, as it seems, as it was. Of course you can't rely
on that.
But know this.
In a world where all important software is open source (as per "obscurity
is not security) and if you stick to that, and your system is identified,
then this attacker needs only use his toolkit or whatever advanced toolkit
he can get / write. I'm thinking there are a bunch or a lot of female
hackers these days too though. Maybe even 10%. Women understand this
better.
What if, instead, you had a customized version of that software unique to
your system. Many a hacker needs to study the exact version or environment
of the software he wants to attack?.
Just by simple adjustment you can render any and all toolkits worthless.
This toolkit is actually a mass-targetting feature. You can perfectly
devise defenses that counter it. It requires obscurity. Then your attacker
suddenly needs to gain access to your binaries or source code. You now
have an information advantage that is momentous. The toolkit is a feminine
attack on a masculine defense, and hence successful. Obscurity, real
obscurity ;-) always requires dedication on a single target to defeat it.
Passwords are a form of obscurity, by the way. They are called secrets :p.
> And what does published documentation have to do with proxy A failing to
> connect to some upstream server? This thread is not about documentation,
> its about whether or not some admin has secured their CDN proxy.
Well actually I thought it was about whether this user considered the
error message a vulnerability to his own system. I guess your response is
"secure so it won't matter". Whenever someone gives me that sort of
reassurance, I know I'm in danger ;-). But I think you already know the
answer to your own question.
>> The same applies to attacking a system. If the cost becomes too high
>> for the benefit that can be gained, people will just leave a system
>> alone.
>>
>> It is important.
> Now that is dogma. Probably true most of the time, but still experience
> (and a bit of thinking) uncovers cases where it is false.
Not sure what you mean. In general that would mean the cost is not too
high? Or maybe there just is no cost to doing something. Or someone
believes there is something to be gained anyway?
The world of proxies :D.
> It is a negative statement about availability with the property that
> when its *not* happening one still cannot be certain about up/down
> status on the particular server application.
Alright, good information. But I think this user was primarily concerned
with the basic unpleasantness of any such information being shown?
Practical impossiblity does not equate to fundamental uselessness. Just
because something ... I guess I'm a bit stupid at this point, but just
because you can be /pretty sure/ that nothing bad can happen doesn't mean
it then becomes good practice to just go and flaunting it. You *are*
depending on your perfect or sufficient knowledge of the entire system.
That level of dependence might cause butt-hurt. If you happen to have
missed something your negligence of precaution may suddenly cause a bite
mark somewhere ;-). Just saying, you know.
> * If the attacker did manage to trigger this event they have no certinty
> about whether it was their action or a combination of their action and
> some other parallel traffic they are unaware of.
You are way cool you know. Seriously, mean it. Like I'm talking to the
expert of experts ;D. :).
> How does that strike you for height on the bar?
I'd take on the challenge lol. In due time, maybe in a previous life. ;-).
LOL!
> The one attack where this is useful is a DoS attack, where it is a sign
> that DoS is happening, but since ther is clearly a proxy involved the
> Dos success/fail state is still uncertain. Proxies have this ability to
> limit DoS to particular clients and/or present different variants of
> response to different requests. So the attack request may be getting
> this error while regular traffic does not even notice.
Above my head at this point.. Even if you could use this feedback as an
indication of DDoS (DoS) success ... well I guess it could warrant
conditions for a further stage that would be impossible or too dangerous
without it. Dunno. I know that this level of knowledge or feedback can be
quite vital though. Sometimes if a feedback mechanism fails you are just
left without recourse to proceed. I really hate that. I hate those people
:P. LOL.
I'm no hacker, just pretending to be one to some people at some times
;-P.
Seriously. I'm just a stupid person ;p.
> This is slightly incorrect. Protecting the server requires protecting
> it, not hiding. Proxy offers a higher bar to DoS attacks, and added
> complexity of software HTTP interptetations and ACLs that need to be
> broken or bypassed before any attack is successful.
I mostly meant "hiding" as a form of encapsulating. I mean, the webserver
could be on an internal network, right? It is not anymore hidden than your
couch in your living room is hidden. Not everything has to be global IP
exposed.
Personally I like this idea of connecting with e.g. VPN or whatever and
then using a service that only answers to e.g. 127.0.0.1.
You can see how beginner I am :P.
> You still have to place the protections in both proxy and server to gain
> those proxy benefits. At which point the server location starts to mean
> almost nothing in terms of protection.
Do you mean that given adequate firewall settings a connect will be
impossible anyway from a host that is not supposed to?
And at that point given this adequate or perfect design, any other
precaution is rendered redundant?
> Having the server on the same host as the proxy adds the localhost
> hardware protections. That is all. Then exposes it to side effects of
> CPU consumption attacks made against the proxy which would not be an
> issue if it were separate.
Right. I believe separate-host service or provision is important anyway.
Such as not storing audit logs on the same machine.
> That high CPU consumption is just one normal peak traffic case for a
> proxy. So it can occur almost on demand if an attacker chooses. Squid is
> designed to continue operating under those conditions. Servers and in
> particular "application layer" stuff is much more fragile.
Not sure what you mean. You're saying that although Squid might be
vulnerable to this scheme, it is not really of greatest interest given
other vectors?
I guess application layer flaws account for the vast majority of
break-ins?
Not sure, it seems that way. The higher you get in your coding (such as
PHP) the easier it is to make mistakes or leave things open. Apart from C
and its inherent weaknesses. PHP is like designed to have a nest of vipers
that will bite you if you stick your hand in. Whatever.
> I mean it is mandatory for each proxy along the chain to send headers
> detailing the hosts and protocols the message has passed over. One
> ambiguous detail in a rarely occuring error message is the hard way to
> get any info which is spewed forth on every request. And on diagnostic
> requests is presented "on a silver platter" as the saying goes.
Right. I'm sorry, I was not very cognisant of that. I never studied these
header responses from e.g. CDNs. It also seems weird that this information
is mandatory.
>> Aye, it is prettier as well if this information is not shown/leaked.
> Then dont use that error template. Eliezer pointed out how. When it does
> occur it presents the minimum of vital debugging information necessary
> to resolve the outage.
Aye, I'm not necessarily saying it would be a flaw or mistake or error of
the Squid proxy, just that perfection is not guaranteed if this is the
default :p.
> This error message is specifically designed to reveal those two details
> of URL and which server was down. Such that it can be identified and
> fixed. So this does not qualify as a vulnerability leak.
That doesn't follow, but whatever ;-) :).
> In reverse-proxy cases the end user receiving it is perhapse not the
> best target, the log would be better. Patches making the distinction are
> welcome.
Aye, I guess that was the point. It would not matter to me if this was a
forward proxy. It is pretty damn helpful that Squid tells me what host was
down in a nice graphical page. For a regular forward proxy being informed
like that is supremely helpful.
I'm not really in the position to do any coding at this point though in
other systems, no matter how much I would love to get more familiar with
code of projects that interest me. But thanks for the offer.
> I usually have no need, for instance, for detailed database connection
> failure reports. It is ugly and exposes a lot of internals to your user.
> A common user will also be thinking "what is this shit?". It is not
> tailored for the presentation that was created for the website proper.
> If anything, an error message like that would need to get a message page
> that is in line with the semantics/display/appearance of the page/site
> itself. Just to be consistent and keep the encapsulation intact.
This is what errorpage.css config file is for. Reverse-proxy
installations should use it to brand their proxy generated responses.
> :-) and welcome. If you would like to help improve the error messages,
> patches to update the templates are welcome.
> But be aware that proxies have a very wide set of use-cases to cater
> for, so eliminating details is not always the best choice. The case in
> point being that the detials being a worry to some now are critical for
> ISP installations to report, but not reverse-proxy. We ride the fine
> line between relevance and leaks.
;-). I guess that was the point. It is merely for reverse proxies that it
is worrisome, I guess.
I barely even know what a reverse proxy is. Okay, I do. Slightly.
:p.
Thanks man.
Oh I'm gonna stop responding like this in detail because for some reason
my email client (Alpine) has stopped prepending > to the
replying-to-message for some reason and I don't know why or how or how to
stop it :p.
Makes it rather tiresome to quote stuff.
Regards...
More information about the squid-users
mailing list