Comment 9 for bug 1549855
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Chro, the PoC you attached is incomplete. Could you explain why this behavior is more easily detected/prevented when keepalive is disabled ? And about repeating logs, what if the attacker use randomized http payload ?
In short, the vulnerability described here is that unauthenticated and inexpensive calls to the service can generate very large amounts of log data. This type of protection are probably better implemented before the call is even processed by OpenStack's services and this could be documented as a Security Note or as part of the Security Guide.
I've subscribed OSSG-coresec to discuss an eventual document about rate limiting.
If nobody objects, I'd like to close the OSSA task and remove the privacy setting by the end of this week.