Closed
Bug 906384
Opened 11 years ago
Closed 11 years ago
ICE pacing needs to be global
Categories
(Core :: WebRTC: Networking, defect)
Tracking
()
RESOLVED
FIXED
mozilla28
Tracking | Status | |
---|---|---|
firefox26 | --- | wontfix |
firefox27 | --- | fixed |
firefox28 | --- | fixed |
firefox-esr24 | --- | wontfix |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | fixed |
b2g-v1.3 | --- | fixed |
b2g-v1.4 | --- | unaffected |
People
(Reporter: ekr, Assigned: bwc)
Details
(Keywords: csectype-dos, sec-low, Whiteboard: [qa-][adv-main27-])
Attachments
(2 files, 6 obsolete files)
26.76 KB,
text/plain
|
Details | |
2.67 KB,
patch
|
bwc
:
review+
bajaj
:
approval-mozilla-beta+
bajaj
:
approval-mozilla-b2g26+
RyanVM
:
checkin+
|
Details | Diff | Splinter Review |
Martin Thomson pointed out to me that the Firefox ICE implementation doesn't do global pacing. This means that an attacker can cause Firefox to generate a lot of attack traffic to a victim by making a lot of peerconnections with a lot of ICE candidates pointing to the victim. We need to make ICE pacing Firefox-global, thus limiting the total amount of traffic Firefox generates in total.
Updated•11 years ago
|
Keywords: sec-moderate
Comment 1•11 years ago
|
||
I've written a draft on the subject, text version attached. See also http://martinthomson.github.io/drafts/draft-thomson-mmusic-ice-webrtc.html
Comment 2•11 years ago
|
||
(In reply to Martin Thomson from comment #1) > http://martinthomson.github.io/drafts/draft-thomson-mmusic-ice-webrtc.html 404
Reporter | ||
Comment 3•11 years ago
|
||
I asked Martin to remove it, since this is a security bug.
Reporter | ||
Comment 4•11 years ago
|
||
The fix for this issue will make the issue pretty obvious, and to complicate matters, there is a similar issue in Chrome. Who at Mozilla would be the best person to coordinate with Chrome security on coordinated fixing?
Flags: needinfo?(continuation)
Reporter | ||
Comment 5•11 years ago
|
||
Notes from today's call with Justin and Martin. Instead of doing global pacing, the proposal is to instead put a global "circuit breaker" cap on the maximum amount of STUN traffic you can generate and then (as needed) adjust pacing to the point where legitimate applications should stay under the cap.
Updated•11 years ago
|
Flags: needinfo?(dveditz)
Comment 7•11 years ago
|
||
-> ekr for now; if implementation needs to go elsewhere we'll reassign
Assignee: nobody → ekr
Comment 8•11 years ago
|
||
We'd like to resolve this in the code within the next 2 weeks. Adding an internal tracking deadline of Sept 6.
Reporter | ||
Comment 9•11 years ago
|
||
The problem isn't implementing it, it's when we can commit it without implicitly disclosing a problem in both ffox and Chrome.
Comment 10•11 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #9) > The problem isn't implementing it, it's when we can commit it without > implicitly disclosing a problem in both ffox and Chrome. I understand. I'm just asking everyone (everyone who needs to help make this happen) if we can target resolving this issue within the next 2 weeks. I realize there are lots of dependencies.
Comment 11•11 years ago
|
||
>
> I understand. I'm just asking everyone (everyone who needs to help make this
> happen) if we can target resolving this issue within the next 2 weeks. I
> realize there are lots of dependencies.
I also realize that it won't be truly "resolved" until we release updates to the field. So perhaps the better and more precise question to ask everyone is: can we target having a release plan with Chrome to resolve this issue within 2 weeks?
Updated•11 years ago
|
Flags: needinfo?(dveditz)
Comment 13•11 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #9) > The problem isn't implementing it, it's when we can commit it without > implicitly disclosing a problem in both ffox and Chrome. When asked about landing this the Google security team said "Please go right ahead. We never get very excited about DOS class issues."
Assignee | ||
Comment 14•11 years ago
|
||
Strawman patch.
Assignee | ||
Updated•11 years ago
|
Assignee: ekr → docfaraday
Status: NEW → ASSIGNED
Assignee | ||
Comment 15•11 years ago
|
||
Comment on attachment 827067 [details] [diff] [review] (WIP) Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a maximum of 8K/sec over 1 sec, and 1.8K/sec over 20 sec. Review of attachment 827067 [details] [diff] [review]: ----------------------------------------------------------------- Is this roughly what we're looking for?
Attachment #827067 -
Flags: feedback?(ekr)
Assignee | ||
Comment 16•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=5f5888d855b7
Assignee | ||
Comment 17•11 years ago
|
||
Add a comment that more clearly explains why the rate limiting is needed.
Assignee | ||
Updated•11 years ago
|
Attachment #827067 -
Attachment is obsolete: true
Attachment #827067 -
Flags: feedback?(ekr)
Assignee | ||
Updated•11 years ago
|
Attachment #827486 -
Flags: feedback?(ekr)
Reporter | ||
Comment 18•11 years ago
|
||
Comment on attachment 827486 [details] [diff] [review] (WIP) Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a maximum of 8K/sec over 1 sec, and 1.8K/sec over 20 sec. Review of attachment 827486 [details] [diff] [review]: ----------------------------------------------------------------- ::: media/mtransport/nr_socket_prsock.cpp @@ +395,5 @@ > + // (see http://tools.ietf.org/html/draft-thomson-mmusic-ice-webrtc) > + // Tolerate rate of 8k/sec, for one second. > + static SimpleTokenBucket burst(8192*1, 8192); > + // Tolerate rate of 1.8k/sec over twenty seconds. > + static SimpleTokenBucket sustained(1843*20, 1843); I think Martin may have changed his recommendation here to just be 100kbps overall. Martin? @@ +399,5 @@ > + static SimpleTokenBucket sustained(1843*20, 1843); > + if (burst.getTokens(UINT32_MAX) < len || > + sustained.getTokens(UINT32_MAX) < len) { > + // TODO(bcampen@mozilla.com): Better error code for this? > + ABORT(R_NOT_PERMITTED); IIRC, R_NOT_PERMITTED causes an error higher up. I recommend R_WOULDBLOCK or a silent drop. @@ +403,5 @@ > + ABORT(R_NOT_PERMITTED); > + } > + > + burst.getTokens(len); > + sustained.getTokens(len); You should comment this so it's clear what's going on. Also, a note that this isn't thread safe would probably be useful.
Attachment #827486 -
Flags: feedback?(ekr)
Comment 19•11 years ago
|
||
Byron has used the numbers that I recommended in the draft. However, I've talked to some people and a higher limit is probably better for the longer term limit to prevent some valid cases with multiple agents from bumping the cap. Doubling the rate for the slower token bucket would probably be ok.
Assignee | ||
Comment 20•11 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #18) > Comment on attachment 827486 [details] [diff] [review] > (WIP) Very simple global rate-limiting based on SimpleTokenBucket. Will > tolerate a maximum of 8K/sec over 1 sec, and 1.8K/sec over 20 sec. > > Review of attachment 827486 [details] [diff] [review]: > ----------------------------------------------------------------- > > @@ +399,5 @@ > > + static SimpleTokenBucket sustained(1843*20, 1843); > > + if (burst.getTokens(UINT32_MAX) < len || > > + sustained.getTokens(UINT32_MAX) < len) { > > + // TODO(bcampen@mozilla.com): Better error code for this? > > + ABORT(R_NOT_PERMITTED); > > IIRC, R_NOT_PERMITTED causes an error higher up. > > I recommend R_WOULDBLOCK or a silent drop. > I was worried that at some point R_WOULDBLOCK would prompt a retry. I guess it wouldn't be too awful if that happened. > @@ +403,5 @@ > > + ABORT(R_NOT_PERMITTED); > > + } > > + > > + burst.getTokens(len); > > + sustained.getTokens(len); > > You should comment this so it's clear what's going on. > > Also, a note that this isn't thread safe would probably be useful. Ok.
Assignee | ||
Comment 21•11 years ago
|
||
(In reply to Martin Thomson from comment #19) > Byron has used the numbers that I recommended in the draft. However, I've > talked to some people and a higher limit is probably better for the longer > term limit to prevent some valid cases with multiple agents from bumping the > cap. Doubling the rate for the slower token bucket would probably be ok. I'll do that.
Assignee | ||
Comment 22•11 years ago
|
||
Incorporate feedback.
Assignee | ||
Updated•11 years ago
|
Attachment #827486 -
Attachment is obsolete: true
Assignee | ||
Updated•11 years ago
|
Attachment #831077 -
Flags: review?(ekr)
Reporter | ||
Comment 23•11 years ago
|
||
Comment on attachment 831077 [details] [diff] [review] Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a maximum of 8K/sec over 1 sec, and 3.6K/sec over 20 sec. Review of attachment 831077 [details] [diff] [review]: ----------------------------------------------------------------- lgtm ::: media/mtransport/nr_socket_prsock.cpp @@ +401,5 @@ > + > + // Check number of tokens in each bucket. > + if (burst.getTokens(UINT32_MAX) < len || > + sustained.getTokens(UINT32_MAX) < len) { > + ABORT(R_WOULDBLOCK); Suggest adding a high level (ERR) log here and an assert. That way if this happens in the field we will know earlier.
Attachment #831077 -
Flags: review?(ekr) → review+
Assignee | ||
Comment 24•11 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #23) > Comment on attachment 831077 [details] [diff] [review] > Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a > maximum of 8K/sec over 1 sec, and 3.6K/sec over 20 sec. > > Review of attachment 831077 [details] [diff] [review]: > ----------------------------------------------------------------- > > lgtm > > ::: media/mtransport/nr_socket_prsock.cpp > @@ +401,5 @@ > > + > > + // Check number of tokens in each bucket. > > + if (burst.getTokens(UINT32_MAX) < len || > > + sustained.getTokens(UINT32_MAX) < len) { > > + ABORT(R_WOULDBLOCK); > > Suggest adding a high level (ERR) log here and an assert. That way if this > happens > in the field we will know earlier. Hmm. This would allow someone to crash my browser by spamming candidates; we don't require any user interaction to allow a PeerConnection to spin up (at least, not in the DataChannel-only case).
Assignee | ||
Comment 25•11 years ago
|
||
Unbitrot
Assignee | ||
Updated•11 years ago
|
Attachment #831077 -
Attachment is obsolete: true
Assignee | ||
Comment 26•11 years ago
|
||
Add some logging when we drop STUN requests due to the rate limit.
Assignee | ||
Updated•11 years ago
|
Attachment #832368 -
Attachment is obsolete: true
Assignee | ||
Comment 27•11 years ago
|
||
Use MOZ_ASSERT, since that won't crash on release builds.
Assignee | ||
Updated•11 years ago
|
Attachment #832384 -
Attachment is obsolete: true
Assignee | ||
Comment 28•11 years ago
|
||
Comment on attachment 832497 [details] [diff] [review] Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a maximum of 8K/sec over 1 sec, and 3.6K/sec over 20 sec. Review of attachment 832497 [details] [diff] [review]: ----------------------------------------------------------------- This look about right to you? https://bugzilla.mozilla.org/attachment.cgi?oldid=832368&action=interdiff&newid=832497&headers=1
Attachment #832497 -
Flags: review?(ekr)
Reporter | ||
Comment 29•11 years ago
|
||
Comment on attachment 832497 [details] [diff] [review] Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a maximum of 8K/sec over 1 sec, and 3.6K/sec over 20 sec. Review of attachment 832497 [details] [diff] [review]: ----------------------------------------------------------------- Does MOZ_ASSERT generate a log message if it's not in debug mode? Anyway, feel free to land as-is without rereview.
Attachment #832497 -
Flags: review?(ekr) → review+
Comment 30•11 years ago
|
||
> Does MOZ_ASSERT generate a log message if it's not in debug mode?
No
Reporter | ||
Comment 31•11 years ago
|
||
Then let's add a separate log to go along with the MOZ_ASSERT. Byron, please land.
Assignee | ||
Comment 32•11 years ago
|
||
Add a log message.
Assignee | ||
Updated•11 years ago
|
Attachment #832497 -
Attachment is obsolete: true
Assignee | ||
Updated•11 years ago
|
Attachment #8333497 -
Flags: checkin?(adam)
Assignee | ||
Comment 33•11 years ago
|
||
Comment on attachment 8333497 [details] [diff] [review] Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a maximum of 8K/sec over 1 sec, and 3.6K/sec over 20 sec. Review of attachment 8333497 [details] [diff] [review]: ----------------------------------------------------------------- Carry forward r+ ekr.
Attachment #8333497 -
Flags: review+
Comment 34•11 years ago
|
||
Comment on attachment 8333497 [details] [diff] [review] Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a maximum of 8K/sec over 1 sec, and 3.6K/sec over 20 sec. https://hg.mozilla.org/integration/mozilla-inbound/rev/a906959d7743
Attachment #8333497 -
Flags: checkin?(adam) → checkin+
https://hg.mozilla.org/mozilla-central/rev/a906959d7743
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox28:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Comment 36•10 years ago
|
||
Does this need any testing from QA? If so, please advise.
Flags: needinfo?(docfaraday)
Assignee | ||
Comment 37•10 years ago
|
||
Hmm. Probably not. ekr?
Flags: needinfo?(docfaraday) → needinfo?(ekr)
Comment 38•10 years ago
|
||
I can provide a test case that someone should run, but I think that Byron is amply qualified to do so. I don't know if you want to commit that test case to mochitest though.
Comment 39•10 years ago
|
||
How far back does this issue go?
Updated•10 years ago
|
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → affected
status-firefox26:
--- → wontfix
status-firefox27:
--- → affected
status-firefox-esr24:
--- → wontfix
Comment 41•10 years ago
|
||
This applies cleanly to beta and b2g26. Please request approval for uplift :)
Assignee | ||
Comment 42•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #41) > This applies cleanly to beta and b2g26. Please request approval for uplift :) What about aurora?
Flags: needinfo?(docfaraday)
Assignee | ||
Comment 43•10 years ago
|
||
Comment on attachment 8333497 [details] [diff] [review] Very simple global rate-limiting based on SimpleTokenBucket. Will tolerate a maximum of 8K/sec over 1 sec, and 3.6K/sec over 20 sec. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 790517 User impact if declined: A user's browser could be induced to perform a DoS attack. Testing completed (on m-c, etc.): The usual CI testing, plus some manual testing. Risk to taking this patch (and alternatives if risky): Fairly low. String or IDL/UUID changes made by this patch: None.
Attachment #8333497 -
Flags: approval-mozilla-beta?
Attachment #8333497 -
Flags: approval-mozilla-b2g26?
Comment 44•10 years ago
|
||
It landed on trunk when it was version 28, so Aurora already has the fix.
Updated•10 years ago
|
Attachment #8333497 -
Flags: approval-mozilla-beta?
Attachment #8333497 -
Flags: approval-mozilla-beta+
Attachment #8333497 -
Flags: approval-mozilla-b2g26?
Attachment #8333497 -
Flags: approval-mozilla-b2g26+
Comment 45•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/a58670048f99 https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/ac3d130edf30
Comment 46•10 years ago
|
||
(In reply to Martin Thomson [:mt] from comment #38) > I can provide a test case that someone should run, but I think that Byron is > amply qualified to do so. I don't know if you want to commit that test case > to mochitest though. Eric, please advise.
Flags: needinfo?(ekr)
Reporter | ||
Comment 47•10 years ago
|
||
I think it's fine to commit it as long as it doesn't do something bad as a side effect.
Flags: needinfo?(ekr)
Updated•10 years ago
|
Keywords: csectype-dos
Updated•10 years ago
|
Keywords: csectype-dos
Whiteboard: [qa-] → [qa-][adv-main27-]
Updated•10 years ago
|
Keywords: csectype-dos
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•