Re: [Sks-devel] Annoying malicious keys

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Annoying malicious keys - any easy solution?

From:	Andreas Puls
Subject:	Re: [Sks-devel] Annoying malicious keys - any easy solution?
Date:	Mon, 18 Feb 2019 19:54:39 +0100
User-agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1

Hi Todd,

Am 17.02.2019 um 17:02 schrieb Todd Fleisher:
> Do you (or others) see are any side effects to this approach? I’m 
> particularly wondering if it would cause your server to fall behind if it 
> repeatedly closes connections from its peers.
> 

Sorry, currently i don't know - it was a shortcircuit reaction.
But i think it shouldn't affect the peering with other. They do somthing
like this "POST /pks/hashquery HTTP/1.0" (maybe some one can give a
short feedback)

These keys made about 80% of the whole traffic (keyserver), the request
per seconds where kinda high.
If you try to get info about the keys via webinterface you will receive
garbage, the key itselfs is about 2.5Mb big.
The blocking will only affect the request where are you trying to
donwload the .asc file.
Maybe i'm a bit stubborn but after this step my server is much more
reachable. (until now. my provider had to reboot the server but sks
isn't marked for autostart :( )

> -T
> 

Br
  Andreas
>> On Feb 17, 2019, at 3:00 AM, Andreas Puls <address@hidden> wrote:
>>
>>
>>
>> Am 17.02.2019 um 11:54 schrieb Gabor Kiss:
>>>> So, what can I do?
>>>> I know ths patch (which seems to be included in debian sks package) to
>>>> ignore one special malicious key, but that seems to not help about those
>>>> noted above. Is there a patch to add more keys to be ignored?
>>>> As some IPs requests the same KeyID over and over again (>100 reqs/day),
>>>> I do block those IPs with fail2ban.
>>>
>>> Fail2Ban is useful but I intentionally do not log where the requests
>>> come. Logging in the proxy is turned off.
>>>
>>
>> I'm using nginx as reverse proxy and added this to the config:
>> if ( $args ~
>> "op=get&options=mr&search=(0x1013D73FECAC918A0A25823986CE877469D2EAD9|0x2016349F5BC6F49340FCCAF99F9169F4B33B4659|0xB33B4659|0x69D2EAD9)"
>> ) {
>>      return 444;
>> }
>>
>> 444: Connection Closed Without Response
>>
>> Additonal i use fail2ban which triggers on the errorcode 444
>>> Gabor
>>
>> Br
>>  Andreas
>>>
>>> _______________________________________________
>>> Sks-devel mailing list
>>> address@hidden
>>> https://lists.nongnu.org/mailman/listinfo/sks-devel
>>>
>>
>> _______________________________________________
>> Sks-devel mailing list
>> address@hidden
>> https://lists.nongnu.org/mailman/listinfo/sks-devel
>>
>

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] Annoying malicious keys - any easy solution?, echelon, 2019/02/16
- Re: [Sks-devel] Annoying malicious keys - any easy solution?, Gabor Kiss, 2019/02/17
  - Re: [Sks-devel] Annoying malicious keys - any easy solution?, Andreas Puls, 2019/02/17
    - Re: [Sks-devel] Annoying malicious keys - any easy solution?, Todd Fleisher, 2019/02/17
    - Re: [Sks-devel] Annoying malicious keys - any easy solution?, Andreas Puls <=

Prev by Date: Re: [Sks-devel] SKS scaling configuration
Next by Date: [Sks-devel] Apache setup for refusing to serve bad keys
Previous by thread: Re: [Sks-devel] Annoying malicious keys - any easy solution?
Next by thread: [Sks-devel] Apache setup for refusing to serve bad keys
Index(es):
- Date
- Thread