[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Is "Denial Of Service attack" a security issue?

To: "David Chen" <dchen@indusriver.com>, "Mr. Anderson" <neo@silkroad.com>
Subject: RE: Is "Denial Of Service attack" a security issue?
From: "Linda Walsh" <law@sgi.com>
Date: Fri, 26 May 2000 09:14:53 -0700
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <4.2.0.58.20000526101529.00a36310@pop3.indusriver.com>
Sender: owner-ipsec@lists.tislabs.com

I'm somewhat new to this area, but it seems you can define DOS security
threats using temporal constraints on state change.

For example.  At each point in a security state diagram, you have a 
subject requesting some access (r,w,x,a) to an object.  The secure
Reference Monitor (RM, Target of Evaluation (TOE) or Trusted Computing 
Base (TCB) decides to honor or reject the request.  A reject means the
subject isn't authorized to do whatever.  An accept means it is.  If
you add temporal constraints, you have a means of defining DOS threats.

The first level of DOS, it would seem, would be that the 'request' got
"lost" (dropped).  That's pretty bad.  Imagine an OS that under high
load just never 'hears' a programs request to read a file.  Unconscionable.
For such a situation to occur, it usually means 'system failure' -- something
almost always consider a fatal flaw (except for deadlock cases where say
2 users each want all of memory to do a task, but each only asks for half to
begin with, then each ask for 2nd half and both wait a *very* long time) --
or the case where they want 2 files and they don't lock the files in the same
order).  In a 'well working' system the system may thrash for a while under
high load, but it won't "drop" the read request, it just may take a while.

An example under Linux -- under 2.2.5, I believe, was my using
"dd if=/dev/sdb of=/dev/sdc" to copy a disk.  A 9G disk took about 15-20
minutes.  Ok...fine.  Then I had to do the same w/an 18G.  Took 9-10 hours!
It did finish, but it thrashed  horribly.  While the machine had 1G of memory,
Linux didn't handle buffers cleanly.  So my time to finish wasn't linear.  I'd
say it was a bug in how Linux handled buffers at the time -- *BUT* it didn't
cause a system failure and the request *was* complete.  Since there were
no 'hard' real-time constraints, this was 'ok' (not desirable, but it 'passed').

In that example, it wasn't really a DOS caused by an external user, but one
caused by a system flaw (that has since been remedied -- the same copy now
takes about 40 minutes -- a linear increase).

Anyway, in order to address/measure DOS security issues, one could add
the operator a time constraint to the state change.  One then can define
priorities in the protocol and classes of service.  Ideally, unauthorized
users would never be able to deny service (w/in a time constraint) to
an authorized user.  Another means is to use 'resource usage bounding' on
individual users.  Say anything more than 3 requests for the same webpage
within second or 100 requests total for the same user (arbitrary numbers pulled
out of a hat) are limits.  Users exceeding those limits are regarded as
violating security policy and are denied.  This allows 'legitimate' users
continued access in the face of a DOS attach.  

It could also be possible for those limits to be dynamic based on total
system load.  Something like how UNIX deals with time-share cpu priorities --
those that are CPU hogs get lower priorities than those using little CPU.

Oddly, it's been common-place for *YEARS* to have cpu, file-size and memory
limitations or dynamic priorities on users -- but it is still rare to any 
something like that built in to an OS.  It's sorta like OS's of today
are still operating like single-user systems and networking is something
that was just tacked on as an afterthought.   (Oh how many times have
I wished that I could renice a process's network priority -- large file
xfer (maybe hours long) in background over an ISDN line, but 
I want my interactive sessions or small file copies to be snappy).

This may be beyond the scope of IPsec, but ...it'd be nice to start thinking
about it or at least the support for such concepts...

-Linda


> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of David Chen
> Sent: Friday, May 26, 2000 7:19 AM
> To: Mr. Anderson
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Is "Denial Of Service attack" a security issue?
> 
> 
> Since the IPSec, especially IKE, is not DOS attack resistant,
> what is the IPSec security level try to achieve?
> Shall this been documented in the RFC for the scope/capability of
> security level?
> Or let user find out later? (ie. been attacked)
> --- David
> 
>

References:

Re: Is "Denial Of Service attack" a security issue?

From: David Chen <dchen@indusriver.com>

Prev by Date: Re: Is "Denial Of Service attack" a security issue?
Next by Date: RE: New patent info
Prev by thread: Re: Is "Denial Of Service attack" a security issue?
Next by thread: Network Neighborhood on IPSec in Tunneling mode
Index(es):
- Main
- Thread