Discussion:
[asio-users] Filtering TCP and/or TLS connections
Nounou Dadoun
2016-05-25 19:28:45 UTC
Permalink
Hi folks,

I'm interested in writing a security filter for existing applications to deal with syn flood attacks and potentially other mischief.
In particular, I have an application that I would like to "protect" from crashing (I don't care if the filter crashes because I can keep restarting it) and I would like this filter to prescreen connections and then hand them to the application to process.  I'm thinking that I could use some kind of exponential backoff to space a syn flood to a manageable flow.  (e.g. sleep for a certain period between handing off connects - 10ms, 20ms, 40ms, 80ms etc. with a backoff reset every full second that there are no outstanding requests or so - may need some tuning but you get the idea).

So my question is - how could boost asio do this (without the knowledge or cooperation of the "protected" application), i.e. receive the incoming tcp connection, potentially wait a period of time and then hand it off to a separate application (potentially on a different machine) to process.

Note that this would be similar to a load-balancing application that might choose from among a number of available servers to hand off to process incoming requests.

Any suggestions or references as to how to go about this in boost?   The other possibility is to treat the filter process as a man in the middle but that's not my preference at this point.

Thanks in advance for any thoughts .. N

Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn


This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.



------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
asio-users mailing list
asio-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio
Vinnie Falco
2016-05-25 19:44:04 UTC
Permalink
On Wed, May 25, 2016 at 3:28 PM, Nounou Dadoun
Post by Nounou Dadoun
I'm interested in writing a security filter for existing applications
...
how could boost asio do this (without the knowledge or cooperation of the "protected" application),
I'm by no means an expert but Asio provides an embedded, cross
platform interface to TCP/IP, UDP. It also exposes the underlying
operating system socket (use of which will be by definition
platform-specific). I know of no interface in Boost, or any other
cross-platform network library, that allows taking over the
transport-layer details of TCP/IP.

I believe the solution you are looking for can only be implemented by
writing a platform-specific network driver for each operating system
you wish to target.

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
asio-users mailing list
asio-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio
David Schwartz
2016-05-25 19:53:26 UTC
Permalink
On Wed, May 25, 2016 at 12:28 PM, Nounou Dadoun
Post by Nounou Dadoun
Hi folks,
I'm interested in writing a security filter for existing applications to
deal with syn flood attacks and potentially other mischief.
In particular, I have an application that I would like to "protect" from crashing
Instead, why not just fix whatever bug is causing the application to crash?
Post by Nounou Dadoun
(I don't care if the filter crashes because I can keep restarting it) and I would like
this filter to prescreen connections and then hand them to the application to
process. I'm thinking that I could use some kind of exponential backoff to
space a syn flood to a manageable flow. (e.g. sleep for a certain period
between handing off connects - 10ms, 20ms, 40ms, 80ms etc. with a backoff
reset every full second that there are no outstanding requests or so - may
need some tuning but you get the idea).
That will just make the damage worse. The point of a SYN flood is to
prevent legitimate connections from getting through by reducing the
percentage of SYNs that you're able to reply to. Intentionally not
replying to SYNs makes things worse, not better.

DS

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
asio-users mailing list
asio-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio
Nounou Dadoun
2016-05-25 20:27:07 UTC
Permalink
The "bug" I'm trying to address is susceptibility to SYN-flood attacks! The mechanism which I'm proposing is meant to throttle an incoming flood to mitigate its effects while the flood is in effect so as not to overwhelm an application running on an embedded device. The actual mitigation strategy can be determined later, my question was just to see if there's a mechanism for handing off an incoming connection without "accepting" it automatically .... N


Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn


This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.


-----Original Message-----
From: David Schwartz [mailto:***@gmail.com]
Sent: Wednesday, May 25, 2016 12:53 PM
To: asio-***@lists.sourceforge.net
Subject: Re: [asio-users] Filtering TCP and/or TLS connections
Post by Nounou Dadoun
Hi folks,
I'm interested in writing a security filter for existing applications
to deal with syn flood attacks and potentially other mischief.
In particular, I have an application that I would like to "protect" from crashing
Instead, why not just fix whatever bug is causing the application to crash?
Post by Nounou Dadoun
(I don't care if the filter crashes because I can keep restarting it)
and I would like this filter to prescreen connections and then hand
them to the application to process. I'm thinking that I could use
some kind of exponential backoff to space a syn flood to a manageable
flow. (e.g. sleep for a certain period between handing off connects -
10ms, 20ms, 40ms, 80ms etc. with a backoff reset every full second
that there are no outstanding requests or so - may need some tuning but you get the idea).
That will just make the damage worse. The point of a SYN flood is to prevent legitimate connections from getting through by reducing the percentage of SYNs that you're able to reply to. Intentionally not replying to SYNs makes things worse, not better.

DS

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
asio-users mailing list
asio-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
asio-users mailing list
asio-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio
Bjorn Reese
2016-05-25 20:34:22 UTC
Permalink
Post by Nounou Dadoun
So my question is - how could boost asio do this (without the knowledge or cooperation of the "protected" application), i.e. receive the incoming tcp connection, potentially wait a period of time and then hand it off to a separate application (potentially on a different machine) to process.
Asio is a C++ API for user-space sockets, so it cannot be used for
delayed binding in general. The various mitigation strategies against
TCP SYN flooding [1] usually requires some level of kernel/driver
support.

[1] https://tools.ietf.org/html/rfc4987


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
asio-users mailing list
asio-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio

Loading...