Threat Prevention infrastructure in Security Groups based on network rate limiting for Brute force and other attack types
A Brute Force Attack is a straight forward method to gain access to a secure domain. It consists of trying different passwords, over and over again, until it gets in.
A network brute force attack signature consists of quick successions of many "new connections"; Essentially the attacker tries to quickly scan all possible password combinations.
This blueprint is intended to add new security group rules to the Neutron Security Groups, protecting from East-West brute Force attacks.
The new rules would define the criteria that needs to be met and an associated action to execute when the rule is activated (e.g. rate limit by dropping packets beyond a certain threshold or completely blocking the source).
Rate limiting works on new connection requests (e.g. TCP syn packets) on a per port basis for brute force prevention.
The proposed rule changes are generic and can be used to prevent other east-west security attacks (e.g. DoS attack prevention).
Motivation:
-----------------
Security Groups in neutron (e.g. East-West firewall) block by default all ingress ports.
The egress/ingress traffic on ports of a Virtual Machine can be allowed by IPs or groups.
However, when the ports are opened (i.e. “whitelisted”), currently there are no security mechanisms to monitor the traffic on these ports. The high security risk scenario we want to enforce is internal attacks from a compromised server (VM). Up until now, this scenario went undetected.
https:/
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Lionel Zerbib
- Direction:
- Needs approval
- Assignee:
- Lionel Zerbib
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Beta Available
- Milestone target:
- next
- Started by
- Lionel Zerbib
- Completed by
- Armando Migliaccio
Whiteboard
Nov-09-2015(armax): If someone is interested in pursuing it, this must be re-submitted according to guidelines defined in [1]
[1] http://
-----------------
Gerrit topic: https:/
Addressed by: https:/
RST for blueprint security-
Addressed by: https:/
Add security groups extended API extension.
Addressed by: https:/
Add rate limit iptables security group firewall.
Work Items
Dependency tree
* Blueprints in grey have been implemented.