From owner-freebsd-current Fri Feb 18 8:59:11 2000 Delivered-To: freebsd-current@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9AD1D37B9D7; Fri, 18 Feb 2000 08:59:05 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA41621; Fri, 18 Feb 2000 11:59:02 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Fri, 18 Feb 2000 11:59:02 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Lyndon Nerenberg Cc: Mark Murray , Peter Wemm , current@FreeBSD.ORG, committers@FreeBSD.ORG Subject: Re: Crypto progress! (And a Biiiig TODO list) In-Reply-To: <200002181628.e1IGS9P48266@orthanc.ab.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Another technique that could be used, and gets discussed occasionally on -security, is passing authentication information via ancillary data transfer on UNIX domain sockets. You could limit the effectiveness of DOS attacks by rate limiting per-uid, for example. It should be noted that both the old and new schemes are subject to denial of service--the old due to locking, and the new due to socket/IPC limits, among other things. I would argue, however, that the new mechanism reduces risk as it would allow us to remove the setuid bit from a number of binaries, instead relying on a single auditable code base in the password file manager. If we plan to move to more daemons using IPC to communicate in this style, we might want to think about consistency guidelines for doing this. For example, mandating an LPC structure of some sort, or managing parallelism on a single pipe, etc. Also, documenting techniques that tend to reduce the risk of denial of service for daemons offering IPC services. Robert On Fri, 18 Feb 2000, Lyndon Nerenberg wrote: > >>>>> "Mark" == Mark Murray writes: > > Mark> o A username may only be checked $number times per > Mark> $timeperiod; after that, _all_ answers are silently > Mark> converted to "no". > > Umm, massive DOS hole. > > Mark> o Daemon may only be invoked $number times per $timeperiod; > Mark> refuses to fork after that. > > Another massive DOS hole. > > Mark> o Daemon will delay $timeperiod before returning answer. > > This is the correct way to deal with (perceived) attacks. > > Mark> ... etc. There are possibilities for DoS attacks, but the > Mark> daemon talks only to a Unix Domain Socket, so finding the > Mark> perp is easy. > > Not if the daemon has shut itself off due to load (#1 or #2 above) and you > aren't currently logged in to the box. > > --lyndon > > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message