Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(audit): timeouts for metrics server to avoid DoS attacks #1277

Merged
merged 1 commit into from
Oct 18, 2024
Merged

fix(audit): timeouts for metrics server to avoid DoS attacks #1277

merged 1 commit into from
Oct 18, 2024

Conversation

IAvecilla
Copy link
Collaborator

The metrics server used for the operator and the aggregator is now initialize with custom timeout parameters to avoid attacks that could bring the server down.

@IAvecilla IAvecilla self-assigned this Oct 17, 2024
@IAvecilla IAvecilla linked an issue Oct 17, 2024 that may be closed by this pull request
Metrics package is vulnerable to Slowloris attack #1274
Closed
MarcosNicolau
MarcosNicolau approved these changes Oct 17, 2024
View reviewed changes
Copy link
Collaborator

@MarcosNicolau MarcosNicolau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

JulianVentura
JulianVentura approved these changes Oct 17, 2024
View reviewed changes
Copy link
Collaborator

@JulianVentura JulianVentura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@MarcosNicolau
Copy link
Collaborator

Btw, I tested this with netcat:

  • Idle timeout: nc 127.0.0.1 9092 (hangs the connection indefinitely, maybe you could add this to the comment)
  • Write timeout: nc 127.0.0.1 9092 and write GET/metrics HTTP/1.1 to the console.

@IAvecilla IAvecilla merged commit 592d271 into staging Oct 18, 2024
2 checks passed
@IAvecilla IAvecilla deleted the 1274-metrics-package-is-vulnerable-to-slowloris-attack branch October 18, 2024 14:39
PatStiles pushed a commit that referenced this pull request Nov 6, 2024
@IAvecilla @PatStiles
fix(audit): timeouts for metrics server to avoid DoS attacks (#1277)
246683e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarcosNicolau MarcosNicolau MarcosNicolau approved these changes

@JulianVentura JulianVentura JulianVentura approved these changes

@uri-99 uri-99 uri-99 approved these changes

Assignees

@IAvecilla IAvecilla

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Metrics package is vulnerable to Slowloris attack
4 participants
@IAvecilla @MarcosNicolau @uri-99 @JulianVentura