Closed GoogleCodeExporter closed 8 years ago
GoogleCodeExporter
commented
8 years ago Since in our case the ae proxy and the ae daemon are on the same host I think
we can put an iptables rule in place to block traffic to port 6000 for all IPs
that are not 127.0.0.1.Original comment by tbrt....@gmail.com on 25 Nov 2012 at 1:25
GoogleCodeExporter
commented
8 years ago Would still recommend setting explicit/sane timeouts for SSL handshakes, would
prevent against improperly configured proxy. It'd be embarrassing to DOS
yourself. :)Original comment by amoun...@students.poly.edu on 25 Nov 2012 at 3:59
GoogleCodeExporter
commented
8 years ago There are two windows of Denial of Service attack here.
1. TCP three way handshake - this is mitigated by the kernel level time out of
sockets.
2. A rogue client getting in between an SSL negotiation. This problem has
been fixed since openssl 0.98l release onwards (Reference: CVE-2009-3555).
However, an external mechanism may be needed to mitigate this attack as stated
in the comment #1.Original comment by ravt...@gmail.com on 25 Nov 2012 at 9:35
GoogleCodeExporter
commented
8 years ago Added the following lines to the installation script:
echo "****** set iptables rule ******"
sudo iptables -A INPUT -p tcp -s localhost --dport 6000 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6000 -j DROP
This will block the communication to port 6000 from off-board. Based on what
Ravi documented in comment#3. OpenSSL addressed the issue in version greater
than 0.9.8.Original comment by tbrt....@gmail.com on 26 Nov 2012 at 12:45
GoogleCodeExporter
commented
8 years ago Verified with unit testingOriginal comment by tbrt....@gmail.com on 9 Dec 2012 at 9:24
Original issue reported on code.google.com by
amoun...@students.poly.eduon 22 Nov 2012 at 3:41