Skip to content

note that there exist trivial denial of service attacks #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 27, 2023
Merged

note that there exist trivial denial of service attacks #53

merged 1 commit into from
Apr 27, 2023

Conversation

jepler
Copy link
Contributor

@jepler jepler commented Apr 27, 2023

.. and suggest use only on trusted networks.

@ali1234

@jepler
note that there exist documented trivial denial of service attacks
4bb0416 
.. and suggest use only on trusted networks
dhalbert
dhalbert approved these changes Apr 27, 2023
View reviewed changes
Copy link
Contributor

@dhalbert dhalbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure!

@dhalbert dhalbert merged commit c5168df into main Apr 27, 2023
@dhalbert dhalbert deleted the not-robust branch April 27, 2023 02:40
@michalpokusa
Copy link
Contributor

Do you have any idea how it could prevent DoS attack? Because to be honest I see some aspects about security that could be improved, but not really about preventing DoS. How would it work without external services, load balancers etc.?

We could implement rate limiting, but this would be bad from the performance standpoint.
I would be happy to implement that, but right now, I can't imagine how this could work on microcontroller.
And there is still DDoS...

Considering that we can't host https directly on microcontroller (as far as I know), using e.g. nginx on Raspberry Pi seems logical always when someone wants to expose the web server to public. And by using nginx we can get both https and load balancing etc.

@dhalbert
Copy link
Contributor

@michalpokusa I'd this is just a warning about use: if you use this on the public internet, be aware you are open to this kind of attack. I don't see a reason to try to mitigate a DoS attack; if that is a possibility you might not want to put yourself in that situation.

@ali1234
Copy link

ali1234 commented Apr 27, 2023

It probably won't be possible to really mitigate directed attacks, but the problem I reported is trivial enough that it can happen accidentally (which is how I found it).

@jepler
Copy link
Contributor Author

jepler commented Apr 28, 2023

we'd be happy to see this made more robust! The point of this change was not to dissuade folks from improving the package, but rather to be honest about the level of security that is presently provided.

adafruit-adabot added a commit to adafruit/Adafruit_CircuitPython_Bundle that referenced this pull request May 23, 2023
@adafruit-adabot
Automated update by Adabot (adafruit/adabot@47c2ea4)
26c5779 
Updating https://github.com/adafruit/Adafruit_CircuitPython_EPD to 2.11.2 from 2.11.1:
  > Merge pull request adafruit/Adafruit_CircuitPython_EPD#65 from sdomoszlai13/fix-annotations-epd.py

Updating https://github.com/adafruit/Adafruit_CircuitPython_asyncio to 0.5.21 from 0.5.20:
  > Merge pull request adafruit/Adafruit_CircuitPython_asyncio#41 from Neradoc/fix-package-prefix

Updating https://github.com/adafruit/Adafruit_CircuitPython_HTTPServer to 4.0.0 from 3.0.2:
  > Merge pull request adafruit/Adafruit_CircuitPython_HTTPServer#54 from michalpokusa/4.0.0-examples-refactor-authentication-mimetypes
  > Run pre-commit
  > Update pre-commit hooks
  > Merge pull request adafruit/Adafruit_CircuitPython_HTTPServer#53 from adafruit/not-robust

Updating https://github.com/adafruit/Adafruit_CircuitPython_Bundle/circuitpython_library_list.md to NA from NA:
  > Updated download stats for the libraries
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhalbert dhalbert dhalbert approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jepler @michalpokusa @dhalbert @ali1234