Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] syslog floods during DoS attack on REST server #13576

Open
jusherma opened this issue Feb 1, 2023 · 9 comments
Open

[security] syslog floods during DoS attack on REST server #13576

jusherma opened this issue Feb 1, 2023 · 9 comments
Assignees
@sachinholla
Labels
BRCM Triaged this issue has been triaged

Comments

@jusherma
Copy link
Contributor

jusherma commented Feb 1, 2023

Description

Sending malicious traffic to the REST server causes log flooding. These logs can rapidly fill the syslog. During tests, more than 1.5 MB of these messages were written per minute of DoS attack. This could be used to force log rotation, concealing earlier malicious activity from logs. It could also cause a system outage by filling up the disk.

Steps to reproduce the issue:

Run these commands in parallel from Kali Linux, where 172.31.0.2 is the IP address of an interface on SONiC and 172.31.0.6 is an unassigned IP address

arpspoof -i eth1 -t 172.31.0.2 172.31.0.6 > /tmp/arpspoof 2>&1 &
srvr -SAa -i eth1 172.31.0.6 > /tmp/srvr 2>&1 &
hping3 172.31.0.2 -p 443 -S -a 172.31.0.6 -i u10000 -q

Describe the results you received:

Within about 2 minutes, warnings about TLS handshake timeouts will start rapidly flooding /var/log/syslog:

Dec  3 08:42:34.123901 sonic INFO mgmt-framework#/supervisord: rest-server 2022/12/03 08:42:34 http: TLS handshake error from 172.31.0.4:1558: read tcp 172.31.0.2:443->172.31.0.4:1558: read: connection timed out

Describe the results you expected:

  1. REST server should only be listening to the mgmt interface
  2. Minor errors, especially those triggered by unauthenticated users, should not be logged or should be rate-limited
  3. fail2ban should be used to block abusive or malicious clients
@gechiang gechiang added Triaged this issue has been triaged BRCM labels Feb 1, 2023
@adyeung
Copy link
Collaborator

adyeung commented Feb 2, 2023

@jeff-yin this is relating to RBAC, pls help followup with your team

@adyeung adyeung added DELL and removed BRCM labels Feb 2, 2023
@adyeung adyeung assigned jeff-yin and unassigned adyeung Feb 2, 2023
@jeff-yin
Copy link
Collaborator

jeff-yin commented Feb 2, 2023
edited
Loading

@adyeung I don't think this is a role-based access control issue, as it has to do with unauthenticated users. This is more related to the configuration and logging done by the REST server.

  1. REST server should only be listening to the mgmt interface

The REST server should be configurable to do this, or a separate mgmt VRF can be configured as well.

  1. Minor errors, especially those triggered by unauthenticated users, should not be logged or should be rate-limited

Need to take a look at how the REST server is passing error messages to the syslog. But even so, some of these logs are worth keeping for troubleshooting purposes.

  1. fail2ban should be used to block abusive or malicious clients

I think this is more important than point 2. We should configure this on the host right?

@jeff-yin jeff-yin removed their assignment Feb 2, 2023
@jeff-yin
Copy link
Collaborator

jeff-yin commented Feb 3, 2023

Sorry, unassigned myself thinking I could re-assign. But I can't. Feel free to re-assign to me for now.

@adyeung
Copy link
Collaborator

adyeung commented Feb 3, 2023

Discussing offline over email, I will move assignee once we reach a conclusion offline

@adyeung adyeung added BRCM and removed DELL labels Feb 3, 2023
@adyeung
Copy link
Collaborator

adyeung commented Feb 6, 2023

@sachinholla from BRCM working on a fix

@jeff-yin
Copy link
Collaborator

jeff-yin commented Feb 6, 2023

Thanks @adyeung and @sachinholla

@sachinholla
Copy link
Contributor

hi @jusherma,

How to install the "srvr" tool? I did not find it in kali tools page.

About REST server listening to the mgmt interface only -- most of the deployments I have seen wanted inband management. Will keep the current behavior as is and consider supporting a bind interface/vrf option in future.
Note: REST server followed the behavior of the telemetry service which is already in use in many production environments today. Telemetry server also listens on all interfaces.

About fail2ban -- if I understand correctly, this will be a new service monitoring the logs and adjusting he firewall rules (may be ACLs??).. It should be discussed & tracked as a separate security enhancement for sonic. Not specific to REST server.

@sachinholla sachinholla mentioned this issue Feb 13, 2023
Merged
@jusherma
Copy link
Contributor Author

jusherma commented Feb 14, 2023
edited
Loading

hi @jusherma,

How to install the "srvr" tool? I did not find it in kali tools page.

I think you should be able to reproduce this even without the srvr tool. Let me know if you cannot

About REST server listening to the mgmt interface only -- most of the deployments I have seen wanted inband management. Will keep the current behavior as is and consider supporting a bind interface/vrf option in future. Note: REST server followed the behavior of the telemetry service which is already in use in many production environments today. Telemetry server also listens on all interfaces.

Binding a server to all interfaces by default is poor security posture. It's ok to allow users to bind telemetry or REST server to all interfaces, but using that as a default is a security risk. I already have opened another issue about telemetry's use of binding to 0.0.0.0.

About fail2ban -- if I understand correctly, this will be a new service monitoring the logs and adjusting he firewall rules (may be ACLs??).. It should be discussed & tracked as a separate security enhancement for sonic. Not specific to REST server.

You're correct--fail2ban monitors log files and uses iptable rules to temporarily block abusive clients.

fail2ban needs to both be (a) added to SONIC and (b) enabled for each service we wish to protect. Regardless of how this task is tracked, work will need to be done to enable it for the REST server specifically.

@adyeung
Copy link
Collaborator

adyeung commented May 31, 2023

sonic-net/sonic-mgmt-framework#102

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sachinholla sachinholla

Labels
BRCM Triaged this issue has been triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jeff-yin @adyeung @sachinholla @gechiang @jusherma