1 |
On 09/18/2012 06:27 PM, Walter Stanish wrote: |
2 |
> Hi there, |
3 |
> |
4 |
> This is a bit general, rather than a specific suggestion, since I |
5 |
> don't think I can make tomorrow's meeting maybe people might like to |
6 |
> discuss it there. |
7 |
> |
8 |
> Reading the more recent OpenSSL man page it occurred to me that there |
9 |
> may be a potential with some types of daemons (such as recent OpenSSL |
10 |
> run with the 2.x default of --key-method 2) to facilitate remote |
11 |
> system entropy exhaustion as a type of DoS. |
12 |
> |
13 |
> I am aware of entropy gathering daemons but none so much for entropy |
14 |
> as an input to overall system management (connection throttling, |
15 |
> control group freezing, etc.). |
16 |
> |
17 |
> Has there been any attempt to integrate system entropy management with |
18 |
> any major Linux distribution? |
19 |
> Has Gentoo hardened looked at entropy impact of various packages? |
20 |
> |
21 |
> I think there could be some research potential here. |
22 |
> |
23 |
> The first step might be to establish suitably automated mechanisms for |
24 |
> formal testing of package / package revision entropy impact under |
25 |
> various test loads, with a view towards enhancing the visibility and |
26 |
> ease of entropy management across hardened gentoo systems. |
27 |
> - I'm not sure if there is an automated test suite set up within the |
28 |
> Gentoo infrastructure at present, though some packages have built-in |
29 |
> tests, and some packages have a USE flag to enable/disable these, it |
30 |
> seems difficult to re-run these tests after packages are emerged. |
31 |
> - There are also more general testing tools such as the Apache |
32 |
> Project's 'ab' and 'bonnie++' that could be used for some types of |
33 |
> packages. |
34 |
> |
35 |
> Whilst it is easily possible to monitor entropy over time (eg: using |
36 |
> rrdtool configured to source data from |
37 |
> /proc/sys/kernel/random/entropy_avail) I have never heard of any |
38 |
> attempt to monitor this availability over time and integrate it in to |
39 |
> system management. I have however heard of problems with relatively |
40 |
> commonly deployed daemons (I forget which now, but not so long ago it |
41 |
> happened to me too) wherein entropy exhaustion causes a complete |
42 |
> functional DoS for a process blocking for unavailable entropy. |
43 |
> |
44 |
> Perhaps a new control group implementation for maximum entropy draw |
45 |
> rate per namespace might also be a useful contribution to the kernel? |
46 |
> |
47 |
> I suppose this sort of thing is tending to increase in importance as |
48 |
> the density of services per physical system increases under the |
49 |
> continuing trend towards high density virtual hosting (either |
50 |
> container based or paravirtualized). |
51 |
> |
52 |
> First post here ... hope I'm not completely off track with this, just |
53 |
> throwing the idea out there. |
54 |
> |
55 |
> Cheers, |
56 |
> Walter |
57 |
> |
58 |
|
59 |
Like you said, there are some entropy gathering daemons (I use em in |
60 |
VMs), so that's a good place to start I think. After that, I would |
61 |
probably go with some hardware rng solution if you determine this to be |
62 |
that much of a risk. |
63 |
|
64 |
Since you can keep http connections open for long periods of time with |
65 |
HTTP/1.1 that can also be used to help mitigate some exhaustion (rate |
66 |
limit people). In fact, rate limiting in general is probably good. |
67 |
|
68 |
-- |
69 |
-- Matthew Thode (prometheanfire) |