[Tails-dev] Endless Data Attack and Defense
adrelanos
adrelanos at riseup.net
Sun Feb 17 21:19:21 CET 2013
Hi!
I've been reading the Thandy design.
> Endless data attacks. An attacker responds to a file download request
with an endless stream of data, causing harm to clients (e.g. a disk
partition filling up or memory exhaustion).
Affected:
- tails_htp
- Tails security check perhaps?
- wherever else where you are using a scripted download (didn't check
more throughly than a fast grep for curl)
We're in luck. A fix doesn't appear to be that complicated. Curl
supports --max-time.
Adding a timeout between, well, 120 and 300 seconds?
Whatever a good timeout value would be, it's probable best not the hard
code let's say for example 120 seconds.
I think it may be best to add a random extra delay between maybe 0 and
300 seconds seconds so the attacker doesn't know for sure if Tor, the
wifi, the network broke down or if the user was using --max-time.
What do you think?
Cheers!
adrelanos
More information about the tails-dev
mailing list