Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Repair request/response can potentially flood the cluster #7529

Closed
pgarg66 opened this issue Dec 17, 2019 · 1 comment
Closed

Repair request/response can potentially flood the cluster #7529

pgarg66 opened this issue Dec 17, 2019 · 1 comment
Assignees
@sakridge
Labels
security Pull requests that address a security vulnerability
Milestone
v1.2.0

Comments

@pgarg66
Copy link
Contributor

pgarg66 commented Dec 17, 2019

Problem

The cluster can get flooded by repair request/response. This can happen due to

  1. A malicious node, that's generating spurious repair requests targeting one valid node or the whole cluster
  2. Network behavior such that alternate paths are not available, routing and/or spanning loops exist, or network partitions exist between responding and requesting nodes

Reference section 6.4.2.1.1

Proposed Solution

  1. Write tests that simulate such conditions.
  2. More intelligence in repair service, that can detect excessive repair requests from a node, and throttle that node's repairs
  3. Filter malicious node's IP/ports via kernel filters (e.g. iptables)
  4. Validators can deploy firewalls that can be configured dynamically.

More thoughts are needed to find a comprehensive solution for such attacks.
@pgarg66 pgarg66 added the security Pull requests that address a security vulnerability label Dec 17, 2019
@sakridge sakridge self-assigned this Dec 18, 2019
@mvines mvines added this to the Tofino v0.23.0 milestone Dec 21, 2019
@mvines mvines modified the milestones: Tofino v0.23.0, Rincon v0.24.0 Jan 26, 2020
@mvines mvines modified the milestones: Rincon v0.24.0, v0.25.0 Feb 20, 2020
@mvines mvines modified the milestones: v1.1.0, v1.2.0 Mar 30, 2020
@sakridge
Copy link
Member

sakridge commented Apr 2, 2020

Fixed by #9056

@sakridge sakridge closed this as completed Apr 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sakridge sakridge

Labels
security Pull requests that address a security vulnerability
Projects
None yet
Milestone
v1.2.0
Development

No branches or pull requests
3 participants
@sakridge @mvines @pgarg66