======== Security ======== DOS Defense =========== - Least Recently Used (LRU) queue approach for monitoring IP addresses issuing frequent requests - Configurable threshold for adding IP address to Blacklist/Penalty Box - Configurable time-out for IP addresses added to Blacklist/Penalty Box - A single shared blacklist will exist within memcache - LRU queues will be unique to each server and will penalize an IP to the shared blacklist on memcache - All thresholds will be controlled via the configuration page TearDown DOS Defense ==================== - Tear down requires valid channel and valid x-keyexchange-id value - Statistically unlikely. Channel is 4 characters and keyexchange-id is 255 characters - Brute force attempts will generate lots of noise and will be limited per DOS defense Logging Points ============== CEF Logging ::::::::::: - Bad action taken against a valid channel id (denoted by 400 error code) - Examples: non-existent x-keyexchange-id, bad x-keyexchange-id - Action taken against an invalid channel id - Examples: request for properly formed, but not existing, channel id - IP address sent to black list due to DOS prevention controls - Examples: Flood of requests from a single IP - Client fallback to original sync method - Examples: Client unable to complete J-PAKE sync for any number of reasons and falls back to original sync approach - Reported by client to server via reporting API Application Logging ::::::::::::::::::: - Full application logging will be created to enable incident response review - Logged to application server and not via CEF - Logs will include: - Timestamp - IP address - Full URL - x-keyexchange-id - Event - Other non-essential headers will be discarded Admin Web Page ============== - A small web administrator page will be created which will allow an admin to view all IP addresses that are currently blacklisted. - The admin will be able to unblock any of the IP addresses through this page - Otherwise the IP address will be removed from the black list after the time has elapsed that is defined within the configuration file - Access to the web page will be password-protected with a simple .htaccess file and IP filtering access (10.*.*.*)