Denial of service via large UID packets

Issue #60 new
Yegor Timoshenko
created an issue

Screenshot from 2018-06-14 17-07-17.png

To reproduce, follow instructions in #57, but replace single ./sks-forge-uid with:

while true; do ./sks-forge-uid pgp.mit.edu -rand < /tmp/key.gpg; done

Also, if you've previously fetched sks-tools repo, make sure you're on the latest revision (git pull origin master).

I don't have server logs, but Kristian does (see 16:55 to 17:10 UTC).

It takes very little time to cause server to be inaccessible (5-10 min), and only requires the command above running on a single computer.

I've tested this with multiple SKS servers, to make sure this is not specific to some particular instance :-(

Comments (5)

  1. Andrew Gallagher

    I've tested this with multiple SKS servers, to make sure this is not specific to some particular instance :-(

    So you freely admit to running a premeditated DoS experiment against multiple public internet servers...?

  2. Yegor Timoshenko reporter

    Yes. Why not? I was trying to get a key to 1GB size, which would be another DoS vulnerability, but SKS keyservers I've tried this on became unresponsive at about 30MB. I was not sure if that was caused by my actions at first. My intent here is to cause keyservers to become more resilient to both spoofing (#41) and DoS (#57, #60).

  3. Log in to comment