sharkey development team can have a fun, whimsical feature request instead of "here are all these super concerning zero day vulnerabilities i have accumulated by analyzing DoS attacks against transfem.social and the source code with hazel" as a treat.
-
sharkey development team can have a fun, whimsical feature request instead of "here are all these super concerning zero day vulnerabilities i have accumulated by analyzing DoS attacks against transfem.social and the source code with hazel" as a treat.
-
greeeeen :blobcatpresentgreen: (christmas edition)replied to Amber last edited by
@[email protected] wow, you discovered zero days, because they were used in the wild against tf.s??
-
Amberreplied to greeeeen :blobcatpresentgreen: (christmas edition) last edited by
@[email protected] yes. multiple occasions at this point.
-
@[email protected] ones that not even misskey knew about
-
greeeeen :blobcatpresentgreen: (christmas edition)replied to Amber last edited by
@[email protected] are the cve-s just so easy to find, or are the transphobes hiring some hackers or something??
-
Amberreplied to greeeeen :blobcatpresentgreen: (christmas edition) last edited by
@[email protected] the ones used in the wild did not even meet criteria for CVEs. Nor GHSAs. They're just very basic shitty techniques to exhaust cpu and take the instance down.
-
@[email protected] like, it turns out if there is no caching on the misskey media proxy, that when it does the required image processing for remote media... that takes some cpu load... so carrying on... if you spam 100 requests per second a remote avatar through our media proxy then well you'll never guess this... the cpu is saturated and can't handle anymore io. This prevents HTTP traffic and everything else. Of course, when it finally can handle HTTP connections, it is then stuck processing the images.
-
@[email protected] the fix for this was so disappointing. First, we added rate limits to sharkey on how many attachments you can request through media proxy per second. And then... we used HAProxy to make a cache. so... actually funnily enough - these attacks are still happening it's just that haproxy has the media cached and our server isn't processing anything.
-
@[email protected] so... you know how there was that large list of GHSAs (6) and how hazel worked on 5/6? Well. The 6th one was in regards to using the media proxy to fetch from itself in a bit of recursion shenanigans that just explodes. So... when that was patched the skids found out they could do that... and they attempted to attack us with it several times but i had already patched the instance with all the security patches quite literally within the first minutes of them being released for sharkey because I knew the extent of Hazel's findings.
