From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43091) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xf1BZ-0005zP-4K for qemu-devel@nongnu.org; Fri, 17 Oct 2014 02:38:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xf1BV-0002Ky-5T for qemu-devel@nongnu.org; Fri, 17 Oct 2014 02:38:49 -0400 Received: from mx1.redhat.com ([209.132.183.28]:14632) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xf1BU-0002Kk-UJ for qemu-devel@nongnu.org; Fri, 17 Oct 2014 02:38:45 -0400 Date: Fri, 17 Oct 2014 07:38:32 +0100 From: "Daniel P. Berrange" Message-ID: <20141017063831.GC3144@redhat.com> References: <1413375585-20301-1-git-send-email-kraxel@redhat.com> <1413375585-20301-7-git-send-email-kraxel@redhat.com> <20141015123110.GA3741@redhat.com> <1413382769.4213.5.camel@nilsson.home.kraxel.org> <20141015143915.GE3741@redhat.com> <1413456389.18160.1.camel@nilsson.home.kraxel.org> <5440B85F.3060307@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <5440B85F.3060307@huawei.com> Subject: Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gonglei Cc: "Huangweidong (C)" , qemu-devel@nongnu.org, "Huangpeng (Peter)" , "Dr. David Alan Gilbert" , Gerd Hoffmann , Anthony Liguori On Fri, Oct 17, 2014 at 02:34:07PM +0800, Gonglei wrote: > On 2014/10/16 18:46, Gerd Hoffmann wrote: > > > Hi, > > > >>> I try to prevent that by dropping the *oldest* connection, so you have a > >>> chance to connect even if a unprivileged attacker tries to use up all > >>> connection slots. > >> > >> Lets say the limit is 5. The bad guy has 5 open idle connections. > >> The good guy opens a new one and pushes off one of the bad guy's > >> connections. Fine so far. The bad guy though can simply open 5 more > >> connections and he'll push the good guy's connection off again. > > > > Correct. It can't fully prevent the attack, but makes it harder to pull > > off. Just having $limit idle connects isn't enough any more, the bad > > guy has to constantly bomb qemu with vnc connect requests, hoping this > > kicks out the good guy before it managed to authenticate. The chances > > for the good guy are a bit better and it is also more likely that the > > attack sets off alarms in network monitoring. > > > > Hi, > > Happy that I don't miss this patch series and conversation. > I have a approach to prevent the brute force attack (which > had been tested in my team). Firstly, we must set password for > vnc server for security. Secondly, the DoS may bomb qemu > with vnc connect requests, trying to decrypt password at present. Note that VNC passwords offer no meaningful level of security. If you want security for VNC you must *always* use the TLS extension or the SASL extension, or both. These offer proven cryptographically strong authentication protocols. > If we set the max trying times, and then > There are some concepts: > - INTERVAL_TIME: a time window that user can connnet vnc server > - REJECT_TIME: the time of reject any connection > - MAX_TRY_TIMES: the times that user can connect vnc server in INTERVAL_TIME, > if attach the MAX_TRY_TIMES, the server will lock, any user can not connect again > before REJECT_TIME attached. The old connected client will not be influenced. How are you defining "user" in this description. Do you mean "Source IP address" here ? Or any client connection ? Or something else ? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|