Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[filter] Reset TCP connections #1751

Closed
krizhanovsky opened this issue Nov 11, 2022 · 2 comments
Closed

[filter] Reset TCP connections #1751

krizhanovsky opened this issue Nov 11, 2022 · 2 comments
Assignees
@voodam
Labels
enhancement security
Milestone
0.8 - Beta

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Nov 11, 2022
edited by RomanBelozerov
Loading

Motivation

#1741 :

Basically ip_block on; block_action attack reply; is a misconfiguration: Frang limits immediately call the filter blocking on IP layer and the HTTP layer will just put an HTTP response to the socket send buffer, which hung forever.

See also https://github.com/tempesta-tech/tempesta/wiki/HTTP-security for the discussion on the options interoperability.

With this configuration

frang_limits {                                                                                 
    ip_block on;                                                                               
    http_ct_required true;                                                                     
}                                                                                              
block_action attack reply;

If the http_ct_required rule is triggered, then Frang immediately calls the IP filter, which blocks the client IP on the Netfilter layer. This means that Tempesta FW can not receive any ingress packets from the client, even TCP ACK. When the Frang finish its execution, the HTTP layer takes control with an BLOCK status from the Frang layer and now an HTTP error code must be sent. Since the TCP layer can't receive ACKs for the HTTP response, the response would hang in the socket send queue until TCP keep alive timer terminates the connection.

Scope

Filter

The filter module is responsible for a client blocking, in any implemented ways (IP blocking only at the moment). The module must be extend and probably the tfw_filter_block_ip() should be replaced with a new API call(s) to

  1. reset TCP connections with RST
  2. block the IP only if ip_block on
  3. be ready to terminate HTTP sessions (the actual implementation of the session termination is for Drop HTTP session on security events #1045 , but this issue must consider this extension to make the API flexible)

block_action

Action drop of block_action option must also reset a TCP connection with RST (see https://github.com/tempesta-tech/tempesta/wiki/Handling-clients#error-responses)

Testing

Test to reproduce for connection burst. See comment

Documentation

The behavior is described in https://github.com/tempesta-tech/tempesta/wiki/HTTP-security , which must be reviewed.
This was referenced Nov 11, 2022
Closed
Closed
@RomanBelozerov
Copy link
Contributor

Tempesta does not return RST for non-tls connections, but does so for tls connections. We must always return RST for security events (or not?).

@krizhanovsky krizhanovsky modified the milestones: 0.7 - Beta, 1.0 - GA Jan 12, 2023
@krizhanovsky krizhanovsky modified the milestones: 1.0 - GA, 0.8 - Beta Apr 19, 2023
@voodam voodam self-assigned this Jun 29, 2023
@voodam voodam mentioned this issue Jul 13, 2023
Closed
@voodam voodam mentioned this issue Oct 6, 2023
Closed
@voodam
Copy link
Contributor

voodam commented Oct 6, 2023

Done in #1716

@voodam voodam closed this as completed Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@voodam voodam

Labels
enhancement security
Projects
None yet
Milestone
0.8 - Beta
Development

No branches or pull requests
3 participants
@krizhanovsky @voodam @RomanBelozerov