Duane Wessels wrote:
> I can think of many DOS attacks with ident, not just this one.
What else?
The implementation only reads one packet so huge replies is not DOS a
problem. Fragmented replies may be a problem but ignored until someone
finds a ident server which sends the reply it more than one packet.
The lookup times out after read_timeout. This should be changed to
connect_timeout or a ident specific value. As you say the ident lookup
should have a much shorter timeout.
> I think its a risk the cache admin takes when the enable this
> option.
I don't agree in this thinking. ident does not need to be a riskful
operation.
> Much better ways of authentication exist, so I don't think
> we need to bend-over backwards making this one work ideally.
That is true, but not much is needed.
> For example, I would rather have an 'ident_timeout' option with
> a small default, like 10 seconds.
Even 10 seconds opens for DOS attack with ident_lookup on.
> I wonder if it would also work to have ACL-only ident lookups, but
> with a keyword like "ANY" so that if the lookup fails the request
> is still processed. That would really simplify things too.
That is an good idea, but won't solve the problem of not invoking
multiple ident lookups on the same connection.
Also, ident_lookup is needed to get ident lookups on bad/malformed
requests. This is to catch those idiots who telnet to the http port and
try to explore ways to abuse it for other uses but fail..
Received on Tue Jul 29 2003 - 13:15:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:02 MST