OpenStack Compute (nova)

Bug #1253980
Comment #19

Comment 19 for bug 1253980

Revision history for this message

Phil Day (philip-day) wrote on 2013-12-09: RE: [Bug 1253980] Re: DoS attack via setting os_type in snapshots.

#19

Hi Thierry,

A minor clarification on the impact description:

"By repeatedly spawning new instances of a snapshotted server with random os_type ..." should read " By repeatedly creating snapshots, changing the os_type to a new random value, and spawning new instances from the snapshot ..."

I don’t think its necessarily that costly - you do have to pay for each instance you create, but it can be the smallest instance needed and doesn’t have to exist any longer than the time to create it. You could probably even kill the instance before it gets to Active (It only needs to get past the creation of the ephemeral backing file) and avoid any billing at all on some systems. Likewise you don't have to keep the snapshots once the instance has been created. Because the ephemeral backing files are never cleared up (its assumed that they are small and a limited set) you don't have to do this at a fast rate to create a long term attack.

Phil

> -----Original Message-----
> From: <email address hidden> [mailto:<email address hidden>] On Behalf
> Of Thierry Carrez
> Sent: 09 December 2013 16:06
> To: Day, Phil
> Subject: [Bug 1253980] Re: DoS attack via setting os_type in snapshots.
>
> After writing the impact description it appears to me that this DoS vector
> could end up being costly for the attacker. I tend to consider "costly DoS" to
> fall in the same category as "normal usage" for a resource provider...
> Thoughts on that ? Should this still be considered a practical vulnerability ?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1253980
>
> Title:
> DoS attack via setting os_type in snapshots.
>
> Status in OpenStack Compute (Nova):
> In Progress
> Status in OpenStack Compute (nova) grizzly series:
> New
> Status in OpenStack Compute (nova) havana series:
> New
> Status in OpenStack Security Advisories:
> Triaged
>
> Bug description:
> If the os_type metadata is set of an image, the ephemeral disk backing file
> for that image will be named ephemeral_[size]_[os_type].
> Because the user can change os_type they can use this to create new
> ephemeral backing files.
> Nova image cache management does not include deleting ephemeral
> backing files (presumably because they are expected to be a small, stable
> set.
>
> Hence a user can fill the disk with ephemeral backing files via the
> following:
>
> 1) Spawn a instance
> 2) Create a snapshot from it, delete the original instance
> 3) In a loop:
> generate a random os_type
> set os_type to the snapshot
> spawn and instance from it, and then delete the instance
>
> Every iteration will generate an ephemeral backing file on a compute
> host. With a stacking scheduling policy there is a good chance of
> hitting the same host repeatedly until its disk is full.
>
> Suggested mitigation
>
> Only use “os_type” in the ephemeral file name if there is a specific
> mkfs command defined, otherwise use “default” (Currently for
> undefined os-types it will use the default mkfs command, but still
> uses os_type in the name.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1253980/+subscriptions

Hi Thierry,

A minor clarification on the impact description:

"By repeatedly spawning new instances of a snapshotted server with random os_type ..."   should read " By repeatedly creating snapshots, changing the os_type to a new random value, and spawning new instances  from the snapshot ..."

I don’t think its necessarily that costly - you do have to pay for each instance you create, but it can be the smallest instance needed and doesn’t have to exist any longer than the time to create it.  You could probably even kill the instance before it gets to Active (It only needs to get past the creation of the ephemeral backing file) and avoid any billing at all on some systems.  Likewise you don't have to keep the snapshots once the instance has been created.   Because the ephemeral backing files are never cleared up (its assumed that they are small and a limited set) you don't have to do this at a fast rate to create a long term attack.

Phil

> -----Original Message-----
> From: bounces@canonical.com [mailto:bounces@canonical.com] On Behalf
> Of Thierry Carrez
> Sent: 09 December 2013 16:06
> To: Day, Phil
> Subject: [Bug 1253980] Re: DoS attack via setting os_type in snapshots.
> 
> After writing the impact description it appears to me that this DoS vector
> could end up being costly for the attacker. I tend to consider "costly DoS" to
> fall in the same category as "normal usage" for a resource provider...
> Thoughts on that ? Should this still be considered a practical vulnerability ?
> 
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1253980
> 
> Title:
>   DoS attack via setting os_type in snapshots.
> 
> Status in OpenStack Compute (Nova):
>   In Progress
> Status in OpenStack Compute (nova) grizzly series:
>   New
> Status in OpenStack Compute (nova) havana series:
>   New
> Status in OpenStack Security Advisories:
>   Triaged
> 
> Bug description:
>   If the os_type metadata is set of an image, the ephemeral disk backing file
> for that image will be named ephemeral_[size]_[os_type].
>   Because the user can change os_type they can use this to create new
> ephemeral backing files.
>   Nova image cache management does not include deleting ephemeral
> backing files (presumably because they are expected to be a small, stable
> set.
> 
>   Hence a user can fill the disk with ephemeral backing files via the
>   following:
> 
>   1) Spawn a instance
>   2) Create a snapshot from it, delete the original instance
>   3) In a loop:
>   generate a random os_type
>   set os_type to the snapshot
>   spawn and instance from it, and then delete the instance
> 
>   Every iteration will generate an ephemeral backing file on a compute
>   host.  With a stacking scheduling policy there is a good chance of
>   hitting the same host repeatedly until its disk is full.
> 
>   Suggested mitigation
> 
>   Only use “os_type” in the ephemeral file name if there is a specific
>   mkfs command defined, otherwise use “default”   (Currently for
>   undefined os-types it will use the default mkfs command, but still
>   uses os_type in the name.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1253980/+subscriptions