© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
This one is a classic DoS attack on an endpoint, without amplification. There are two ways of mitigating that issue in a public cloud setting: externally (by deploying rate-limiting proxies) or internally (by adding a rate-limiting feature in Nova novnc proxy itself).
Adding a feature to a stable release in not an option for us. So we pursue two different axis:
- warn users of current stable versions to use rate-limiting proxies to also cover access to the noVNC servers (this is not the first, nor the last place in OpenStack where DoS needs to be mitigated externally). This is what the OSSN that Sriram prepares will recommend
- introduce a new feature to be able to mitigate that within the noVNC proxy, to be shipped in the Icehouse release
In summary, this is definitely a vulnerability, but since it can't be closed without adding a disrupting change in stable releases (which is what an OSSA would have been for), we opted for a "known issue warning + best practice on how to mitigate it" (OSSN) + feature-fix in next version.