| 1 |
You may use some dedicate hardware to make your server not the first in |
| 2 |
the row to fail in case of an entropy exhaustion attack. |
| 3 |
http://www.entropykey.co.uk/ |
| 4 |
|
| 5 |
Dw. |
| 6 |
-- |
| 7 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 8 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
| 9 |
|
| 10 |
2012.Szeptember 19.(Sze) 01:27 időpontban Walter Stanish ezt írta: |
| 11 |
> Hi there, |
| 12 |
> |
| 13 |
> This is a bit general, rather than a specific suggestion, since I |
| 14 |
> don't think I can make tomorrow's meeting maybe people might like to |
| 15 |
> discuss it there. |
| 16 |
> |
| 17 |
> Reading the more recent OpenSSL man page it occurred to me that there |
| 18 |
> may be a potential with some types of daemons (such as recent OpenSSL |
| 19 |
> run with the 2.x default of --key-method 2) to facilitate remote |
| 20 |
> system entropy exhaustion as a type of DoS. |
| 21 |
> |
| 22 |
> I am aware of entropy gathering daemons but none so much for entropy |
| 23 |
> as an input to overall system management (connection throttling, |
| 24 |
> control group freezing, etc.). |
| 25 |
> |
| 26 |
> Has there been any attempt to integrate system entropy management with |
| 27 |
> any major Linux distribution? |
| 28 |
> Has Gentoo hardened looked at entropy impact of various packages? |
| 29 |
> |
| 30 |
> I think there could be some research potential here. |
| 31 |
> |
| 32 |
> The first step might be to establish suitably automated mechanisms for |
| 33 |
> formal testing of package / package revision entropy impact under |
| 34 |
> various test loads, with a view towards enhancing the visibility and |
| 35 |
> ease of entropy management across hardened gentoo systems. |
| 36 |
> - I'm not sure if there is an automated test suite set up within the |
| 37 |
> Gentoo infrastructure at present, though some packages have built-in |
| 38 |
> tests, and some packages have a USE flag to enable/disable these, it |
| 39 |
> seems difficult to re-run these tests after packages are emerged. |
| 40 |
> - There are also more general testing tools such as the Apache |
| 41 |
> Project's 'ab' and 'bonnie++' that could be used for some types of |
| 42 |
> packages. |
| 43 |
> |
| 44 |
> Whilst it is easily possible to monitor entropy over time (eg: using |
| 45 |
> rrdtool configured to source data from |
| 46 |
> /proc/sys/kernel/random/entropy_avail) I have never heard of any |
| 47 |
> attempt to monitor this availability over time and integrate it in to |
| 48 |
> system management. I have however heard of problems with relatively |
| 49 |
> commonly deployed daemons (I forget which now, but not so long ago it |
| 50 |
> happened to me too) wherein entropy exhaustion causes a complete |
| 51 |
> functional DoS for a process blocking for unavailable entropy. |
| 52 |
> |
| 53 |
> Perhaps a new control group implementation for maximum entropy draw |
| 54 |
> rate per namespace might also be a useful contribution to the kernel? |
| 55 |
> |
| 56 |
> I suppose this sort of thing is tending to increase in importance as |
| 57 |
> the density of services per physical system increases under the |
| 58 |
> continuing trend towards high density virtual hosting (either |
| 59 |
> container based or paravirtualized). |
| 60 |
> |
| 61 |
> First post here ... hope I'm not completely off track with this, just |
| 62 |
> throwing the idea out there. |
| 63 |
> |
| 64 |
> Cheers, |
| 65 |
> Walter |
| 66 |
> |
Archives