[jira] [Resolved] (TS-1422) TProxy + proxy.config.http.use_client_target_addr can caused site-specific DoS when DNS records are bad/stale or point to unreachable servers

Mon, 10 Dec 2012 09:11:26 -0800 

     [ 
https://issues.apache.org/jira/browse/TS-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alan M. Carroll resolved TS-1422.
---------------------------------

    Resolution: Fixed

Commit 043815e7a7a67b79a2ca6fdc3f6d6751e5150411
                
> TProxy + proxy.config.http.use_client_target_addr can caused site-specific 
> DoS when DNS records are bad/stale or point to unreachable servers
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: TS-1422
>                 URL: https://issues.apache.org/jira/browse/TS-1422
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: HTTP
>    Affects Versions: 3.2.0
>         Environment: Version 3.2 running with TProxy interception and 
> proxy.config.http.use_client_target_addr == 1
>            Reporter: B Wyatt
>            Assignee: Alan M. Carroll
>             Fix For: 3.3.3
>
>
> In the presence of multiple A(AA) records from DNS, most consumer browsers 
> will choose an alternate record if their current selected record is 
> unreachable.  This allows the browser to successfully mitigate downed servers 
> and stale/erroneous DNS entries.
> However, an intercepting proxy will establish a connection for a given 
> endpoint regardless of the state of the upstream endpoint.  As a result, the 
> browsers ability to detect downed origin servers is completely neutralized.
> When enabling proxy.config.http.use_client_target_addr this situation creates 
> a localized service outage.  ATS will skip DNS checks in favor of using the 
> endpoint address that the client was attempting to connect to during 
> interception.  If this endpoint is unreachable, ATS will send an error 
> response (50x) to the user browser.  Since the browser assumes this is from 
> the Origin Server, it makes no attempt to move to the next DNS record. 
> In the event that a DNS record is erroneous or the most selected record (aka 
> first?) points to a down server, this can deny access to a destination for 
> users behind the transparent proxy, while users that are not intercepted 
> merely see increased latency as their browser cycles through bad DNS entries 
> looking for a good address.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to