threat-modeling.md

Threat Model Analysis for nsqio/nsq

Threat: Rogue nsqd Instance

• Threat: Rogue nsqd Instance
  • Description: An attacker introduces a malicious nsqd instance into the network. Producers, through nsqlookupd discovery, connect to this rogue instance and send messages to it. The attacker controls this instance.
  • Impact: Message loss (messages never reach intended consumers), message interception (attacker gains access to sensitive data), and potential for further attacks by manipulating the rogue nsqd.
  • Affected Component: nsqd, nsqlookupd (discovery process)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Use TLS with server-side certificates for all nsqd instances. Clients (producers and consumers) must be configured to verify the nsqd certificate against a trusted CA. This is crucial.
    • Statically configure nsqlookupd addresses in clients, bypassing dynamic discovery if feasible and appropriate for the deployment. This reduces the attack surface.
    • Implement monitoring to detect unexpected nsqd instances joining the cluster (e.g., using nsqadmin API or custom scripts). Alert on any new, unknown instances.

Threat: Rogue nsqlookupd Instance

• Threat: Rogue nsqlookupd Instance
  • Description: An attacker introduces a malicious nsqlookupd instance. Clients querying this rogue instance are directed to attacker-controlled nsqd instances.
  • Impact: Producers and consumers connect to malicious nsqd instances, leading to message loss, interception, or manipulation. This can completely disrupt the messaging system.
  • Affected Component: nsqlookupd, nsqd (indirectly, through misdirection)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Use TLS with server-side certificates for all nsqlookupd instances. Clients must be configured to verify the nsqlookupd certificate.
    • Statically configure nsqlookupd addresses in clients. This is the most reliable way to prevent this attack.
    • Network segmentation: Isolate nsqlookupd instances on a secure, dedicated network segment.
    • Implement monitoring to detect unexpected nsqlookupd instances.

Threat: Unauthorized Message Production

• Threat: Unauthorized Message Production
  • Description: An attacker gains network access and connects directly to an nsqd instance, bypassing application-level authentication. They publish messages to a topic, injecting malicious data or commands.
  • Impact: The application processes fraudulent messages, leading to data corruption, incorrect state, execution of unintended actions, or denial of service.
  • Affected Component: nsqd (TCP listener, message handling logic)
  • Risk Severity: High
  • Mitigation Strategies:
    • Implement a mandatory authentication proxy service before nsqd. This proxy validates credentials (API keys, JWTs, etc.) before forwarding messages. This is the preferred solution.
    • Use TLS with client-side certificates. Configure nsqd to require client certificates and verify them against a trusted CA.
    • Network segmentation: Restrict network access to nsqd to only authorized producer IPs/networks using firewalls or network policies.

Threat: Message Tampering in Transit

• Threat: Message Tampering in Transit
  • Description: An attacker with network access intercepts messages between producers, nsqd, and consumers. They modify the message content before forwarding.
  • Impact: The application processes corrupted or manipulated data, leading to incorrect results, state corruption, or execution of unintended actions.
  • Affected Component: Network communication between all NSQ components (producers, nsqd, nsqlookupd, consumers)
  • Risk Severity: High
  • Mitigation Strategies:
    • Enable TLS encryption for all communication between NSQ components and clients. This is the primary and most effective defense.
    • Implement message-level integrity checks (HMAC, digital signatures) within the message payload. Consumers verify these checks before processing.

Threat: Message Eavesdropping

• Threat: Message Eavesdropping
  • Description: An attacker with network access passively listens to communication between NSQ components and clients, capturing message contents.
  • Impact: Exposure of sensitive data contained within messages.
  • Affected Component: Network communication between all NSQ components.
  • Risk Severity: High (if messages contain sensitive data)
  • Mitigation Strategies:
    • Enable TLS encryption for all NSQ communication. This is essential.

Threat: Message Flooding (DoS)

• Threat: Message Flooding (DoS)
  • Description: An attacker sends a large volume of messages to an nsqd instance, exceeding its capacity.
  • Impact: Denial of service for legitimate messages; nsqd becomes unresponsive or crashes.
  • Affected Component: nsqd (message handling, queue management)
  • Risk Severity: High
  • Mitigation Strategies:
    • Implement rate limiting on message producers (at the application level or using a proxy).
    • Configure appropriate message size limits (--max-msg-size) in nsqd.
    • Use nsqd's --max-msg-timeout to prevent messages from lingering indefinitely.
    • Monitor nsqd resource usage (CPU, memory, disk I/O) and set alerts.
    • Deploy multiple nsqd instances for horizontal scaling and load balancing.

Threat: Connection Exhaustion (DoS)

• Threat: Connection Exhaustion (DoS)
  • Description: An attacker opens many connections to nsqd or nsqlookupd, exhausting their connection limits.
  • Impact: Legitimate clients cannot connect to NSQ, disrupting the messaging system.
  • Affected Component: nsqd (TCP listener), nsqlookupd (TCP listener)
  • Risk Severity: High
  • Mitigation Strategies:
    • Configure appropriate connection limits (--max-connections) in nsqd and nsqlookupd.
    • Use a firewall to limit the number of connections from a single IP address or network.
    • Monitor connection counts and set alerts for unusual activity.

Threat: NSQ Code Vulnerability (Elevation of Privilege)

• Threat: NSQ Code Vulnerability (Elevation of Privilege)
  • Description: An attacker exploits a previously unknown vulnerability in the NSQ codebase (e.g., buffer overflow, code injection) to gain control of an NSQ process.
  • Impact: Potential for complete system compromise, data breach, or further attacks.
  • Affected Component: Potentially any NSQ component (nsqd, nsqlookupd, nsqadmin, or supporting libraries)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Keep NSQ up to date with the latest releases and security patches. This is paramount.
    • Run NSQ components with the least necessary privileges (avoid running as root).
    • Use containerization (Docker) to isolate NSQ processes and limit access to the host system. Use minimal base images.
    • Implement robust system monitoring and intrusion detection.

Threat: Configuration File Tampering

• Threat: Configuration File Tampering
  • Description: An attacker gains access to the server hosting NSQ components and modifies the configuration files (e.g., nsqd.conf, nsqlookupd.conf).
  • Impact: Changes to critical settings (message timeouts, data paths, security settings) can disrupt service, lead to data loss, or disable security features.
  • Affected Component: Configuration files of nsqd, nsqlookupd, and nsqadmin.
  • Risk Severity: High
  • Mitigation Strategies:
    • Strictly control access to the servers hosting NSQ components. Use strong passwords, SSH keys, and multi-factor authentication.
    • Implement file integrity monitoring (FIM) to detect unauthorized changes to configuration files.
    • Use configuration management tools (Ansible, Chef, Puppet) to manage and enforce the desired configuration state.
    • Regularly back up configuration files to a secure location.