Autor: adrelanos Data: Para: The Tails public development discussion list Asunto: [Tails-dev] Endless Data Attack and Defense
Hi!
I've been reading the Thandy design.
> Endless data attacks. An attacker responds to a file download request with an endless stream of data, causing harm to clients (e.g. a disk
partition filling up or memory exhaustion).
Affected:
- tails_htp
- Tails security check perhaps?
- wherever else where you are using a scripted download (didn't check
more throughly than a fast grep for curl)
We're in luck. A fix doesn't appear to be that complicated. Curl
supports --max-time.
Adding a timeout between, well, 120 and 300 seconds?
Whatever a good timeout value would be, it's probable best not the hard
code let's say for example 120 seconds.
I think it may be best to add a random extra delay between maybe 0 and
300 seconds seconds so the attacker doesn't know for sure if Tor, the
wifi, the network broke down or if the user was using --max-time.