[JBoss JIRA] (MODCLUSTER-417) Obfuscating jvmRoute as to hide topology
by Juan Manuel CABRERA (JIRA)
[ https://issues.jboss.org/browse/MODCLUSTER-417?page=com.atlassian.jira.pl... ]
Juan Manuel CABRERA commented on MODCLUSTER-417:
I'm the originator of that feature request, so I'll try to explain a little more why I think this is a good idea.
Imagine an attacker that wants to create a DOS attack on a particular cluster.
Its simpler for him to crash each nodes one at the time, this would require substantially less power that trying to crash the whole cluster as a whole and would be much more efficient.
Each time you successfully kill a node, the load on each remaining node is mechanically increased and very likely, the last few nodes will crash on their own under the full "normal" load.
An example: if killing a whole cluster of 100 nodes requires an overload of say X:
- killing the first node requires 1% of X obviously
- second node requires 0.96% of X so you can start killing 3 a bit.
- Node 12 is killed twice as fast as node 1 with the same power
- Node 16 is killed 4x faster than node 1
- Node 19 and 20 die almost instantly
- After the node 20 has crashed, the remaining nodes are > 100% so there is little to do to kill these if they are not dead already.
As it goes with any attack possibility, there are certainly ways to prevent that with other means, but I think that the obfuscation/ciphering of the jvmroute would be a good protection.
> Obfuscating jvmRoute as to hide topology
> Key: MODCLUSTER-417
> URL: https://issues.jboss.org/browse/MODCLUSTER-417
> Project: mod_cluster
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Native (httpd modules)
> Affects Versions: 1.3.0.Final, 1.2.9.Final
> Reporter: Radoslav Husar
> Assignee: Jean-Frederic Clere
> Priority: Minor
> Feature request from https://github.com/jmcabrera
> Hello guys.
> First of all, this is a feature request and not a bug.
> I would like to "obfuscate" the jvmRoute so that an external attacker cannot "guess" the topology of my internal infrastructure.
> The "strong" way would be to have a symmetrical cipher with a configurable key.
> mod_cluster could then cipher the jsessionid before exposing it to the external world, and decipher it to recover the jvmRoute and properly redirect the request.
> But I guess that this would have very undesirable consequences on performance.
> The "weak" way would be just obfuscate, i.e. let's say that the jsessionid is alea + '.' + jvmRoute. We could take a part of the alea to alter the jvmroute in a reversible way (XORing for instance).
> Anyhow, the expected effect would be that the jvmroute would be externally different for each and every request.
> Unfortunately, I have close to no C skills, hence I cannot make this myself.
> (as a side note, coming from mod_jk, I'm quite impressed by the features mod_cluster offers! Thanks for the good work :) )
This message was sent by Atlassian JIRA