Confirmed users
491
edits
Services/KeyExchange: Difference between revisions
→Security Logging & Defense
| Line 348: | Line 348: | ||
== Security Logging & Defense == | == Security Logging & Defense == | ||
=== | ===DOS Defense=== | ||
* Least Recently Used (LRU) approach for monitoring IP addresses issuing frequent requests | * Least Recently Used (LRU) queue approach for monitoring IP addresses issuing frequent requests | ||
** Configurable threshold for adding IP address to Blacklist/Penalty Box | ** Configurable threshold for adding IP address to Blacklist/Penalty Box | ||
** Configurable time-out for IP addresses added to Blacklist/Penalty Box | ** Configurable time-out for IP addresses added to Blacklist/Penalty Box | ||
** Concern - NAT'ed IP address used by multiple users | ** Concern - NAT'ed IP address used by multiple users | ||
* A single shared blacklist will exist within memcache | |||
* LRU queues will be unique to each server and will penalize an IP to the shared blacklist on memcache | |||
* All thresholds will be controlled via the configuration page | |||
=== TearDown DOS Defense === | === TearDown DOS Defense === | ||
* Tear down requires valid channel and valid x-keyexchange-id value | * Tear down requires valid channel and valid x-keyexchange-id value | ||
* Statistically unlikely. Channel is 4 characters and keyexchange-id is 255 characters | * Statistically unlikely. Channel is 4 characters and keyexchange-id is 255 characters | ||
* Brute force attempts will generate lots of noise and will be limited per DOS defense | |||
===Logging Points=== | ===Logging Points=== | ||
CEF logging | CEF logging events generated for the following: | ||
* Bad action taken against a valid channel id | * Bad action taken against a valid channel id (denoted by 400 error code) | ||
** Examples: non-existent x-keyexchange-id, bad x-keyexchange-id | |||
* Any action taken against an invalid channel id | * Any action taken against an invalid channel id | ||
** Examples: request for invalid channel id with or without x-keyexchange-id | |||
* IP address sent to black list due to DOS prevention controls | |||
** Examples: Flood of requests from a single IP | |||
* Client fallback to original sync method | * Client fallback to original sync method | ||
* | ** Examples: Client unable to complete j-pake sync for any number of reasons and falls back to original sync approach | ||
** Reported by client to server via reporting API | |||
== Brian's Notes == | == Brian's Notes == | ||