[Openstack-security] [Bug 1227575] Re: DoS style attack on noVNC server can lead to service interruption or disruption

Abhishek Kekane abhishek.kekane at nttdata.com
Wed Mar 5 07:41:27 UTC 2014 

Hi,

One possible solution to limit the console sessions for both vnc and
spice consoles is that we can query to compute node to know how many tcp
connections are established for a given console graphics port of the vm
using netstat command. If the number of established tcp connections
exceeds that of configured value, then it is possible to restrict users
from connecting to the console.

sudo netstat -pnt | awk '{print $4}' | egrep '^127.0.0.1:5900$’
127.0.0.1 : vncserver_listen parameter from nova.conf
5900: graphics port either for spice or vnc.

For this to work, we need to know whether the tcp connections per spice
console is governed by libvirt or there are any other external factors
involved that could vary the count of the tcp connections. Once we know
count of tcp connections are bound to libvirt then we can write the
logic in the libvirt driver to return tcp connections count accordingly
per console type (spice or vnc).

Also need to check how this would work for other hypervisors.

Advantage:
1. No need to persist connection data per vm per session saving disk space

Disadvantage:
1. One additional rpc call to the compute node per console

Please let me know your suggestions on the same.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1227575

Title:
  DoS style attack on noVNC server can lead to service interruption or
  disruption

Status in OpenStack Compute (Nova):
  In Progress
Status in OpenStack Security Notes:
  New

Bug description:
  There is no limiting on the number of VNC sessions that can be created for a single user's VNC token.
  Any attempt to create multiple (say hundreds or thousands) of websocket connections to the VNC server
  results in many connection timeouts. Due to these connection timeout error, other users trying to access their 
  VM's VNC console cannot do so.

  A sample script that tries to create 100,000 connections to Nova noVNC proxy, shows timeout errors
  Script: http://paste.openstack.org/show/47254/

  Script output.... connections get timed out after a while
  -------------------
  ....
  ..

  Creating Connection
  Receiving...
  Received 'RFB 003.008
  '
  Creating Connection
  Receiving...
  Received 'RFB 003.008
  '
  Creating Connection
  Receiving...
  Received 'RFB 003.008
  '
  Creating Connection
  Receiving...
  Received 'RFB 003.008
  '
  Creating Connection
  Receiving...
  Received 'RFB 003.008
  '
  Creating Connection
  Receiving...
  Received 'RFB 003.008
  '
  Creating Connection
  Receiving...
  timed out
  Creating Connection
  Receiving...
  timed out
  Creating Connection
  Receiving...
  timed out
  Creating Connection
  Receiving...
  timed out
  Creating Connection
  Receiving...
  timed out
  --------------------

  Impact:
  1. Many of the sessions timeout. Any attempt to open other sessions also intermittently fail.
  This can cause serious problems to users already having a running VNC session or trying to create new sessions.

  2. The overall performance and response times of other nova services running on the novnc host, using tcp protocol
  also gets affected after the connection timeout errors.

  For example:
  Before running the sumulate thousands of connections program:
  $ time nova get-vnc-console c1b093a3-f53b-4282-b89c-e68f0fa1b6e5  novnc
  +-------+---------------------------------------------------------------------------------+
  | Type  | Url                                                                             |
  +-------+---------------------------------------------------------------------------------+
  | novnc | http://10.2.3.102:6080/vnc_auto.html?token=e776dd33-422f-4b56-9f98-e317410d0212 |
  +-------+---------------------------------------------------------------------------------+

  real    0m0.751s
  user    0m0.376s
  sys     0m0.084s

  rohit at precise-dev-102:~/tools/websocket-client-0.7.0$

  After running the program, the response time is quite high:
  $ time nova get-vnc-console c1b093a3-f53b-4282-b89c-e68f0fa1b6e5  novnc

  +-------+---------------------------------------------------------------------------------+
  | Type  | Url                                                                             |
  +-------+---------------------------------------------------------------------------------+
  | novnc | http://10.2.3.102:6080/vnc_auto.html?token=6865d675-d852-478b-b1ee-457b092f11b9 |
  +-------+---------------------------------------------------------------------------------+

  real    3m9.231s
  user    0m0.424s
  sys     0m0.108s

  
  Possible solutions:
  1. Allow just 1 session per instance, and raise a new exception, say, VNCSessionAlreadyExists to reject multiple
  connections for the same token, and return an error code to the user.
  2. Make the number of sessions allowed per instance configurable, limited by some count of sessions.

  However, both of these solutions may need to override and modify the do_proxy() method of websockify's WebSocketProxy class, 
  which can lead to maintenance issues.

  Another possible solution would be to implement some kind of callback function in websockify, to which we can pass the token
  for reconnection. This would first need contribution to the websockify project code, and then update Nova.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1227575/+subscriptions

More information about the Openstack-security mailing list