From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47874) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xf1RH-0001Az-8y for qemu-devel@nongnu.org; Fri, 17 Oct 2014 02:55:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xf1RB-0007cb-4G for qemu-devel@nongnu.org; Fri, 17 Oct 2014 02:55:03 -0400 Received: from szxga01-in.huawei.com ([119.145.14.64]:36157) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xf1R9-0007cC-P9 for qemu-devel@nongnu.org; Fri, 17 Oct 2014 02:54:57 -0400 Message-ID: <5440BD16.2080705@huawei.com> Date: Fri, 17 Oct 2014 14:54:14 +0800 From: Gonglei MIME-Version: 1.0 References: <1413375585-20301-1-git-send-email-kraxel@redhat.com> <1413375585-20301-7-git-send-email-kraxel@redhat.com> <20141015123110.GA3741@redhat.com> <1413382769.4213.5.camel@nilsson.home.kraxel.org> <20141015143915.GE3741@redhat.com> <1413456389.18160.1.camel@nilsson.home.kraxel.org> <5440B85F.3060307@huawei.com> <20141017063831.GC3144@redhat.com> In-Reply-To: <20141017063831.GC3144@redhat.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: "Huangweidong (C)" , "qemu-devel@nongnu.org" , "Huangpeng (Peter)" , "Dr. David Alan Gilbert" , Gerd Hoffmann , Anthony Liguori On 2014/10/17 14:38, Daniel P. Berrange wrote: > On Fri, Oct 17, 2014 at 02:34:07PM +0800, Gonglei wrote: >> On 2014/10/16 18:46, Gerd Hoffmann wrote: >> >>> Hi, >>> >>>>> I try to prevent that by dropping the *oldest* connection, so you have a >>>>> chance to connect even if a unprivileged attacker tries to use up all >>>>> connection slots. >>>> >>>> Lets say the limit is 5. The bad guy has 5 open idle connections. >>>> The good guy opens a new one and pushes off one of the bad guy's >>>> connections. Fine so far. The bad guy though can simply open 5 more >>>> connections and he'll push the good guy's connection off again. >>> >>> Correct. It can't fully prevent the attack, but makes it harder to pull >>> off. Just having $limit idle connects isn't enough any more, the bad >>> guy has to constantly bomb qemu with vnc connect requests, hoping this >>> kicks out the good guy before it managed to authenticate. The chances >>> for the good guy are a bit better and it is also more likely that the >>> attack sets off alarms in network monitoring. >>> >> >> Hi, >> >> Happy that I don't miss this patch series and conversation. >> I have a approach to prevent the brute force attack (which >> had been tested in my team). Firstly, we must set password for >> vnc server for security. Secondly, the DoS may bomb qemu >> with vnc connect requests, trying to decrypt password at present. > > Note that VNC passwords offer no meaningful level of security. > Encryption algorithms? > If you want security for VNC you must *always* use the TLS extension > or the SASL extension, or both. These offer proven cryptographically > strong authentication protocols. > >> If we set the max trying times, and then >> There are some concepts: >> - INTERVAL_TIME: a time window that user can connect vnc server >> - REJECT_TIME: the time of reject any connection >> - MAX_TRY_TIMES: the times that user can connect vnc server in INTERVAL_TIME, >> if attach the MAX_TRY_TIMES, the server will lock, any user can not connect again >> before REJECT_TIME attached. The old connected client will not be influenced. > > How are you defining "user" in this description. Do you mean "Source IP address" > here ? Or any client connection ? Or something else ? > I mean "any client connection". :) Best regards, -Gonglei