Security
DOS Defense
- Least Recently Used (LRU) queue approach for monitoring IP addresses
issuing frequent requests
- Configurable threshold for adding IP address to Blacklist/Penalty Box
- Configurable time-out for IP addresses added to Blacklist/Penalty Box
- A single shared blacklist will exist within memcache
- LRU queues will be unique to each server and will penalize an IP to the
shared blacklist on memcache
- All thresholds will be controlled via the configuration page
TearDown DOS Defense
- Tear down requires valid channel and valid x-keyexchange-id value
- Statistically unlikely. Channel is 4 characters and keyexchange-id
is 255 characters
- Brute force attempts will generate lots of noise and will be limited
per DOS defense
Logging Points
CEF Logging
- Bad action taken against a valid channel id (denoted by 400 error code)
- Examples: non-existent x-keyexchange-id, bad x-keyexchange-id
- Action taken against an invalid channel id
- Examples: request for properly formed, but not existing, channel id
- IP address sent to black list due to DOS prevention controls
- Examples: Flood of requests from a single IP
- Client fallback to original sync method
- Examples: Client unable to complete J-PAKE sync for any number of reasons
and falls back to original sync approach
- Reported by client to server via reporting API
Application Logging
- Full application logging will be created to enable incident response review
- Logged to application server and not via CEF
- Logs will include:
- Timestamp
- IP address
- Full URL
- x-keyexchange-id
- Event
- Other non-essential headers will be discarded
Admin Web Page
- A small web administrator page will be created which will allow an admin to
view all IP addresses that are currently blacklisted.
- The admin will be able to unblock any of the IP addresses through this page
- Otherwise the IP address will be removed from the black list after the time
has elapsed that is defined within the configuration file
- Access to the web page will be password-protected with a simple .htaccess
file and IP filtering access (10.*.*.*)