WIP: 1110: Help recover in DOS attack #1311
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Problem : When 201 connections made in parallel to BMC and closed them
immediately without properly sending a close_notify alert it was
observed that Bmcweb server was taking several minutes to close the
sockets. All the 200 TCP sockets were in CLOSE_WAIT state.
Journal log shows below line
[CRITICAL http_connection.hpp:213] 0x29d1ef0Max connection count
exceeded.
```
Not able to make new connection
$ curl -k -H "X-Auth-Token:$bmc_token" -X GET https://${BMC_IP}/redfish
/v1/AccountService/Accounts
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
127.0.0.1:2443
Fix : The bmcweb server failed to identify the end of stream at TCP (SSL
/TLS) layer, therefore added check to identify the end of stream which
closes the connection and socket
Test :
I tested this MR using a script that simulated 5,000 parallel
connections simultaneously to BMC and closed them immediately without
properly sending a close_notify alert
Observations:
The BMC became unresponsive for 30-40 seconds before recovering.
After recovery, it took approximately 90 seconds to close all
connections in QEMU.
On real hardware, connection closure times may be slightly higher
(though still within expected parameters).
Conclusion:
This behavior aligns with expectations.
After 90 seconds observed that
1) No sockets in CLOSE_WAIT state
2) Able to make new connection.
curl -k -H "X-Auth-Token:$bmc_token" https://${IP}/redfish/v1/AccountService/Accounts
{
"@odata.id": "/redfish/v1/AccountService/Accounts",
"@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
"Description": "BMC User Accounts",
"Members": [
{
"@odata.id": "/redfish/v1/AccountService/Accounts/root"
}
],
"Members@odata.count": 1,
"Name": "Accounts Collection"
}
```
Change-Id: I1c277db0b774d33c656b4a2b1bd14f3575535bec
Signed-off-by: Chandramohan Harkude <chandramohan.harkude@gmail.com>
There are cases bmcweb might close the connection due to a violation of
the protocol. Currently these are done gracefully, under the assumption
that a client might attempt to recover. But this opens us up to
potentially leaving sockets open for far longer than we intend if the
client is completely gone, due to a disconnect or explicitly closing the
socket hard.
In cases where we get a protocol error, shutdown the socket hard, rather
than attempt to do things "correctly".
Tested:
I tested this MR using a script that simulated 5,000 parallel
connections simultaneously to BMC and closed them immediately without
properly sending a close_notify alert
Observations:
The BMC became unresponsive for 30-40 seconds before recovering.
After recovery, it took approximately 90 seconds to close all
connections in QEMU.
On real hardware, connection closure times may be slightly higher
(though still within expected parameters).
Conclusion:
This behavior aligns with expectations.
After 90 seconds observed that
1) No sockets in CLOSE_WAIT state
2) Able to make new connection.
```
curl -k -H "X-Auth-Token:$bmc_token" https://${IP}/redfish/v1/AccountService/Accounts
{
"@odata.id": "/redfish/v1/AccountService/Accounts",
"@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
"Description": "BMC User Accounts",
"Members": [
{
"@odata.id": "/redfish/v1/AccountService/Accounts/root"
}
],
"Members@odata.count": 1,
"Name": "Accounts Collection"
}
```
Change-Id: I6ab4347efd8fda9ae86bfbb8575666ad3eabe88c
Signed-off-by: Ed Tanous <etanous@nvidia.com>
Signed-off-by: Chandramohan Harkude <chandramohan.harkude@gmail.com>
gtmills
changed the title
|
Putting into 1120 at #1310 and will run with it for a while |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Upstream is https://gerrit.openbmc.org/c/openbmc/bmcweb/+/80819 and https://gerrit.openbmc.org/c/openbmc/bmcweb/+/80839 and has merged. The DOS attack we are helping clear up is coming from the HMC. 2 commits:
Problem : When 201 connections made in parallel to BMC and closed them immediately without properly sending a close_notify alert it was observed that Bmcweb server was taking several minutes to close the sockets. All the 200 TCP sockets were in CLOSE_WAIT state.
Journal log shows below line
[CRITICAL http_connection.hpp:213] 0x29d1ef0Max connection count exceeded.
Not able to make new connection
$ curl -k -H "X-Auth-Token:$bmc_token" -X GET https://${BMC_IP}/redfish
/v1/AccountService/Accounts
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
127.0.0.1:2443
Fix : The bmcweb server failed to identify the end of stream at TCP (SSL
/TLS) layer, therefore added check to identify the end of stream which
closes the connection and socket
Change-Id: I1c277db0b774d33c656b4a2b1bd14f3575535bec
There are cases bmcweb might close the connection due to a violation of
the protocol. Currently these are done gracefully, under the assumption
that a client might attempt to recover. But this opens us up to
potentially leaving sockets open for far longer than we intend if the
client is completely gone, due to a disconnect or explicitly closing the
socket hard.
In cases where we get a protocol error, shutdown the socket hard, rather
than attempt to do things "correctly".
Tested:
I tested this MR using a script that simulated 5,000 parallel
connections simultaneously to BMC and closed them immediately without
properly sending a close_notify alert
Observations:
The BMC became unresponsive for 30-40 seconds before recovering.
After recovery, it took approximately 90 seconds to close all
connections in QEMU.
On real hardware, connection closure times may be slightly higher
(though still within expected parameters).
Conclusion:
This behavior aligns with expectations.
After 90 seconds observed that
curl -k -H "X-Auth-Token:$bmc_token" https://${ip}/redfish/v1/AccountService/Accounts
{
"@odata.id": "/redfish/v1/AccountService/Accounts",
"@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
"Description": "BMC User Accounts",
"Members": [
{
"@odata.id": "/redfish/v1/AccountService/Accounts/root"
}
],
"Members@odata.count": 1,
"Name": "Accounts Collection"
}
Change-Id: I6ab4347efd8fda9ae86bfbb8575666ad3eabe88c
Signed-off-by: Ed Tanous etanous@nvidia.com
Signed-off-by: Chandramohan Harkude chandramohan.harkude@gmail.com