GitHub user rhtyd reopened a pull request:
https://github.com/apache/cloudstack/pull/1663
[LTS/blocker] CLOUDSTACK-6432: Prevent DNS reflection attacks
CLOUDSTACK-6432: Prevent DNS reflection attacks
DNS on VR should not be publically accessible as it may be prone to DNS
amplification/reflection attacks. This fixes the issue by only allowing
VR
DNS (port 53) to be accessible from guest network cidr, as per the fix
in:
https://issues.apache.org/jira/browse/CLOUDSTACK-6432
- Only allows guest network cidrs to query VR DNS on port 53.
- Includes marvin smoke test that checks the VR DNS accessibility
checks from
guest and non-guest network.
- Fixes Marvin sshClient to avoid using ssh agent when password is
provided,
previous some environments may have seen 'No existing session'
exception without
this fix.
- Adds a new dnspython dependency that is used to perform dns
resolutions in the
tests.
Due to repository commit issues I've created this PR, based on #1653 .
/cc @jburwell @karuturi @NuxRo @ustcweizhou @wido and others
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/shapeblue/cloudstack 4.9-dnsreflection-attack
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1663.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1663
----
commit 56ad2c83ae2fb8f3cb74df15ed57a35c795ebced
Author: Rohit Yadav <[email protected]>
Date: 2016-08-22T09:31:41Z
CLOUDSTACK-6432: Prevent DNS reflection attacks
DNS on VR should not be publically accessible as it may be prone to DNS
amplification/reflection attacks. This fixes the issue by only allowing VR
DNS (port 53) to be accessible from guest network cidr, as per the fix in:
https://issues.apache.org/jira/browse/CLOUDSTACK-6432
- Only allows guest network cidrs to query VR DNS on port 53.
- Includes marvin smoke test that checks the VR DNS accessibility checks
from
guest and non-guest network.
- Fixes Marvin sshClient to avoid using ssh agent when password is provided,
previous some environments may have seen 'No existing session' exception
without
this fix.
- Adds a new dnspython dependency that is used to perform dns resolutions
in the
tests.
Signed-off-by: Rohit Yadav <[email protected]>
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
