Re: [Tails-dev] Endless Data Attack and Defense

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: The Tails public development discussion list
Neue Treads: Re: [Tails-dev] Endless Data Attack and Defense
Betreff: Re: [Tails-dev] Endless Data Attack and Defense
Hi!

adrelanos wrote (17 Feb 2013 20:19:21 GMT) :
>> Endless data attacks. An attacker responds to a file download request
> with an endless stream of data, causing harm to clients (e.g. a disk
> partition filling up or memory exhaustion).


> Affected:
> - tails_htp


Acknowledged.

> - Tails security check perhaps?


The default LWP::UserAgent's timeout is 180 seconds, so no, it's
not vulnerable.

But anyway: an attacker who is able to implement this attack against
tails-security-check can also reply wrong information, and this
entirely break the whole purpose of the tool. So, I'd say that we
don't care about the endless data attack at all here.

> - wherever else where you are using a scripted download (didn't check
> more throughly than a fast grep for curl)


Thanks for having a look!

I've also grep'd for wget and LWP, and found no other such thing.

> We're in luck. A fix doesn't appear to be that complicated. Curl
> supports --max-time.


> Adding a timeout between, well, 120 and 300 seconds?


> Whatever a good timeout value would be, it's probable best not the hard
> code let's say for example 120 seconds.


I would happily take a patch against our htpdate fork that adds a 180
seconds timeout. Interested?

> I think it may be best to add a random extra delay between maybe 0 and
> 300 seconds seconds so the attacker doesn't know for sure if Tor, the
> wifi, the network broke down or if the user was using --max-time.


This minor change might help hiding, to a member of our HTP pool, the
fact that someone using wget over Tor to retrieve their homepage
without the associated resources, that the client is using htpdate (I
would need to be convinced that adding timeouts at random looking
values while everybody else uses values such as 180s would actually
help, though.). Well, this could be worth researching further.
Current htpdate does not really try to hide who it is, does it?

Have I missed some other attack this change would defeat?

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc