View Issue Details

IDProjectCategoryView StatusLast Update
000936310000-002: SecuritySpecpublic2024-02-27 17:47
ReporterMartin Regen Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityN/A
Status assignedResolutionopen 
Product Version1.05.03 
Target Version1.05.04 RC1 
Summary0009363: Proposal to add advanced security validation to the first hello/reverse hello message
Description

The security WG discussed this topic on Jan 17th 24.

The problem was discovered on the .NET server when a misconfigured http service keeps trying to open the server endpoint.
The message in the logs:
07:35:11.5838 info: OPC[0] TCPSERVERCHANNEL SOCKET ATTACHED: 0268589A, ChannelId=22
07:35:11.5838 fail: OPC[0] BadTcpMessageTooLarge: BufferSize=65535; MessageSize=1952804143
07:35:11.5840 fail: OPC[0] TCPSERVERCHANNEL ForceChannelFault Socket=0268589A, ChannelId=0, TokenId=0, Reason=BadTcpMessageTooLarge 'Messages size 1952804143 bytes is too large for buffer of size 65535.'
07:35:11.5840 info: OPC[0] ChannelId 22: in Faulted state.

In fact the connection was initiated by a http GET request: GET /metrics HTTP/1.1 where /met is interpreted as the message size.

The malicious connection was only identified by the bad buffer size and caused a channel fault. in the worst case the misconfigured service spams just the log files, but a malicious service could use the vector to cause some sort of DoS attack.

The conclusion of the discussion was to recommend to add a more sophisticated first packet inspection when the first hello/reverso hello message is parsed.
Also some means of reducing the overall log output if such a condition is detected, e.g. by logging only some statistical output once per minute as to how many connection attempts failed due to a faulted service connection.

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

Jim Luth

2024-02-27 17:47

administrator   ~0020868

Add section to Part 2 about mitigating DOS effects by log throttling.

Issue History

Date Modified Username Field Change
2024-01-17 16:56 Martin Regen New Issue
2024-02-27 17:40 Jim Luth Assigned To => Randy Armstrong
2024-02-27 17:40 Jim Luth Status new => assigned
2024-02-27 17:46 Jim Luth Project 10000-006: Mappings => 10000-002: Security
2024-02-27 17:46 Jim Luth Assigned To Randy Armstrong => Paul Hunkar
2024-02-27 17:47 Jim Luth Note Added: 0020868