[openstack-dev] [neutron][metadata] Is there HTTP attack issue in metadata proxy functionality offered by reference implementation?

Clint Byrum clint at fewbar.com
Wed Nov 16 16:52:13 UTC 2016


Excerpts from huangdenghui's message of 2016-11-17 00:05:39 +0800:
> hi
>     Currently, nova metadata service is proxy by metadata agent in dhcp agent or l3 router agent, it is depended on whether network attach to router or not. In essential, metadata agent implements a http proxy functionality by computer node host protocal stack. In other words, it exposes host protocol stack to vm. If vm is a attacker, it can launch a HTTP GET flood attacks. then it may affect this computer node. I would like to hear you guy's  opinion. any comment is welcome. thanks.

Yes, it's an attack vector and should be protected and monitored as
such.

IMO the HTTP metadata service and the way it works is one of the worst
ideas we borrowed from EC2. Config drive (which I didn't like when I
first saw it, but now that I've operated clouds, I love) is a simpler
system and does not present any real surface area to the users.



More information about the OpenStack-dev mailing list