cose451-asu / chat-server

Chatting server implemented by using Scala, Akka, Cats
0 stars 0 forks source link

[Alice and Bob] First attack #2

Open GDtoPlay opened 5 years ago

GDtoPlay commented 5 years ago

Version: 1.0 Env: ubuntu 16.0.4 loc: vulnerability was made by lack of funcs (기능이 없어서 생기는 취약점) type: cwe -400: https://cwe.mitre.org/data/definitions/400.html Explanation of vulnerability: I can't find any function that saving session or viewing user ip address (to prevent multiple login in single machine). That means user can access server with multiple accounts in one machine, and it means malicious user can do DDos Attack with fewer (zombies)machines than usual. you guys should make user to login with limited counts of account.

doohochang commented 5 years ago

Thank for your vulnerability report. As you said, chat-server has no any rate limiting / throttling request techniques. We've already considered about DDos attack, and we think the best solution to prevent those kind of attacks which use large request traffic is using well-known rate limiting tools(nginx, aws gateway, etc...) in infrastructural level(especially, in stage before api gate / load balancer / etc...). Rate limiting by counting user tokens on each application server in cluster maybe less effective than techniques which counts IP/MAC addresses on another ingress component to the service. Conclusionally, we think the responsibility of the vulnerability which you reported should be owned by infrastructural level consideration, not only by chat-server. But also, we think your attack scenario is feasible and thanks for productive ideation.

Team ASU

doohochang commented 5 years ago

We also added simple api rate limit logic for same ip address. See Changes It blocks requests and returns UNAVAILABLE grpc status if there were more than 10 request calls in a second. Thanks!

Team ASU

AlanSynn commented 5 years ago

Commit ID

27ac859

Cause of vulnerability

No interception logic to check the ip and validation with a malicious attack.

Explanation of the patch

Implemented the feature with AtomicReference to prevent the race condition.
Blocks requests and returns UNAVAILABLE grpc status if there were more than 10 request calls in a second.