1 |
You may use some dedicate hardware to make your server not the first in |
2 |
the row to fail in case of an entropy exhaustion attack. |
3 |
http://www.entropykey.co.uk/ |
4 |
|
5 |
Dw. |
6 |
-- |
7 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
8 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
9 |
|
10 |
2012.Szeptember 19.(Sze) 01:27 időpontban Walter Stanish ezt írta: |
11 |
> Hi there, |
12 |
> |
13 |
> This is a bit general, rather than a specific suggestion, since I |
14 |
> don't think I can make tomorrow's meeting maybe people might like to |
15 |
> discuss it there. |
16 |
> |
17 |
> Reading the more recent OpenSSL man page it occurred to me that there |
18 |
> may be a potential with some types of daemons (such as recent OpenSSL |
19 |
> run with the 2.x default of --key-method 2) to facilitate remote |
20 |
> system entropy exhaustion as a type of DoS. |
21 |
> |
22 |
> I am aware of entropy gathering daemons but none so much for entropy |
23 |
> as an input to overall system management (connection throttling, |
24 |
> control group freezing, etc.). |
25 |
> |
26 |
> Has there been any attempt to integrate system entropy management with |
27 |
> any major Linux distribution? |
28 |
> Has Gentoo hardened looked at entropy impact of various packages? |
29 |
> |
30 |
> I think there could be some research potential here. |
31 |
> |
32 |
> The first step might be to establish suitably automated mechanisms for |
33 |
> formal testing of package / package revision entropy impact under |
34 |
> various test loads, with a view towards enhancing the visibility and |
35 |
> ease of entropy management across hardened gentoo systems. |
36 |
> - I'm not sure if there is an automated test suite set up within the |
37 |
> Gentoo infrastructure at present, though some packages have built-in |
38 |
> tests, and some packages have a USE flag to enable/disable these, it |
39 |
> seems difficult to re-run these tests after packages are emerged. |
40 |
> - There are also more general testing tools such as the Apache |
41 |
> Project's 'ab' and 'bonnie++' that could be used for some types of |
42 |
> packages. |
43 |
> |
44 |
> Whilst it is easily possible to monitor entropy over time (eg: using |
45 |
> rrdtool configured to source data from |
46 |
> /proc/sys/kernel/random/entropy_avail) I have never heard of any |
47 |
> attempt to monitor this availability over time and integrate it in to |
48 |
> system management. I have however heard of problems with relatively |
49 |
> commonly deployed daemons (I forget which now, but not so long ago it |
50 |
> happened to me too) wherein entropy exhaustion causes a complete |
51 |
> functional DoS for a process blocking for unavailable entropy. |
52 |
> |
53 |
> Perhaps a new control group implementation for maximum entropy draw |
54 |
> rate per namespace might also be a useful contribution to the kernel? |
55 |
> |
56 |
> I suppose this sort of thing is tending to increase in importance as |
57 |
> the density of services per physical system increases under the |
58 |
> continuing trend towards high density virtual hosting (either |
59 |
> container based or paravirtualized). |
60 |
> |
61 |
> First post here ... hope I'm not completely off track with this, just |
62 |
> throwing the idea out there. |
63 |
> |
64 |
> Cheers, |
65 |
> Walter |
66 |
> |