Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-1422

TProxy + proxy.config.http.use_client_target_addr can caused site-specific DoS when DNS records are bad/stale or point to unreachable servers

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.2.0
    • 3.3.2
    • HTTP
    • None
    • Version 3.2 running with TProxy interception and proxy.config.http.use_client_target_addr == 1

    Description

      In the presence of multiple A(AA) records from DNS, most consumer browsers will choose an alternate record if their current selected record is unreachable. This allows the browser to successfully mitigate downed servers and stale/erroneous DNS entries.

      However, an intercepting proxy will establish a connection for a given endpoint regardless of the state of the upstream endpoint. As a result, the browsers ability to detect downed origin servers is completely neutralized.

      When enabling proxy.config.http.use_client_target_addr this situation creates a localized service outage. ATS will skip DNS checks in favor of using the endpoint address that the client was attempting to connect to during interception. If this endpoint is unreachable, ATS will send an error response (50x) to the user browser. Since the browser assumes this is from the Origin Server, it makes no attempt to move to the next DNS record.

      In the event that a DNS record is erroneous or the most selected record (aka first?) points to a down server, this can deny access to a destination for users behind the transparent proxy, while users that are not intercepted merely see increased latency as their browser cycles through bad DNS entries looking for a good address.

      Attachments

        Issue Links

          Activity

            People

              amc Alan M. Carroll
              wanderingbort Bart
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: