DoS attack possible due to fixed shm size
Closed this issue · 1 comments
OOM conditions in the shm segment are not handled at all well at the moment leading to an easy DOS attack. valid nonces are added to the shm and expired seconds or minutes later. Once the shm is full no new nonces can be remembered and all auth attempts will fail until enough space has been claimed through expiration. It's unclear to me whether it's possible to realloc the shm segment to a larger size after config-time (or if additional segments could be alloc'd to allow for a bank-switching solution).
If the amount of memory really is finite, then that argues either for more aggressive eviction in low-memory conditions or for moving the state storage to the filesystem. Could nginx's file caching machinery be used for managing look-up and expiration?
Resizing the shm at runtime is somewhat daunting so for the moment the ‘solution’ is to make sure the shm size is at the upper end of the number of requests nginx could plausibly serve within the expiration interval. Though unsatisfying, this seems to be the way most shm-bound modules deal with OOM errors.