Skip to content
This repository has been archived by the owner on Aug 12, 2021. It is now read-only.

don't cache more than 1024 entries, to avoid DoS attacks #5

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

marten-seemann
Copy link
Owner

@marten-seemann marten-seemann commented Jul 2, 2021

This is a copy of grandcat#94.

The size of the sentEntries map needs to be limited, otherwise an attacker can consume unbounded state.

The solution implemented here is very simple, but given Go's lack of data structures, any more sophisticated solution would require keeping track of a lot more state: The cache is deleted when it overflows.

@Stebalien, could you review this PR?

@marten-seemann marten-seemann force-pushed the dos-protect-sent-entries2 branch from 9c354b9 to a0bfb77 Compare July 2, 2021 19:55
// DoS protection: don't cache more than maxSentEntries entries
if len(sentEntries) >= maxSentEntries {
for key := range sentEntries {
delete(sentEntries, key)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also: we can just store a set, right? No need to store the values.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise, a small number of entries could still be large.

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's do that in a separate PR.

@marten-seemann marten-seemann force-pushed the dos-protect-sent-entries2 branch from a0bfb77 to 6e55e42 Compare July 2, 2021 21:19
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants