[squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.
Amos Jeffries
squid3 at treenet.co.nz
Sun Jan 22 17:11:48 UTC 2017
On 23/01/2017 1:03 a.m., Christos Tsantilas wrote:
>
> There is a well-known DoS attack using client-initiated SSL/TLS
> renegotiation. The severity or uniqueness of this attack method is
> disputed, but many believe it is serious/real.
> There is even a (disputed) CVE 2011-1473:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
>
> The old Squid code tried to disable client-initiated renegotiation, but
> it did not work reliably (or at all), depending on Squid version, due to
> OpenSSL API changes and conflicting SslBump callbacks. That code is now
> removed and client-initiated renegotiations are allowed.
>
> With this change, Squid aborts the TLS connection, with a level-1 ERROR
> message if the rate of client-initiated renegotiate requests exceeds 5
> requests in 10 seconds (approximately). This protection and the rate
> limit are currently hard-coded but the rate is not expected to be
> exceeded under normal circumstances.
>
> This is a Measurement Factory project
>
Thank you.
In Ssl::ClientBio::stateChanged:
* please make the initial comment:
// detect client-initiated renegotiation DoS (CVE-2011-1473)
* The counting logic does not seem right:
> + const time_t currentTime = getCurrentTime();
> + if (windowRenegotiationsStart + RenegotiationsWindow < currentTime) {
> + windowRenegotiationsStart = currentTime;
> + windowRenegotiations = 1;
> + } else {
... each attempt, the start timer is moved forward to the current
timestamp. So you are not counting 5 per 10sec, you are rejecing is
>10sec between attempts (which is okay I think, but still not what is
intended).
I think the FadingCounter class should be used here instead.
Amos
More information about the squid-dev
mailing list