Skip to content

Latest commit

 

History

History
184 lines (148 loc) · 14 KB

mitigations.md

File metadata and controls

184 lines (148 loc) · 14 KB

Mitigation Strategies Analysis for cloudflare/pingora

Mitigation Strategy: Strict Upstream Configuration and Validation

Mitigation Strategy: Strict Upstream Configuration and Validation

  • Description:

    1. Inventory: Create a comprehensive list of all legitimate upstream servers (applications, databases, etc.) that pingora must access. Include IP addresses, hostnames, and ports.
    2. Whitelist (Pingora Configuration): Within pingora's configuration (e.g., its TOML file or equivalent), explicitly define the allowed upstream servers using the inventory from step 1. pingora should be configured to reject any connection attempts to servers not on this whitelist. This is a core pingora configuration task.
    3. IP Address Preference (Pingora Configuration): In pingora's configuration, use IP addresses instead of hostnames for upstream servers whenever possible. This avoids reliance on DNS resolution, which can be a point of vulnerability.
    4. Port Specificity (Pingora Configuration): Within pingora's configuration, explicitly specify the allowed ports for each upstream server. Do not use wildcard port ranges or leave ports undefined. This is a direct setting within pingora.
    5. Input Validation (for Upstream Selection, if applicable): If pingora's configuration allows any form of dynamic upstream selection based on user input (this is generally not recommended), implement strict validation within a pingora filter or callback to prevent SSRF. This validation logic should be part of the pingora deployment. The validation should:
      • Check against a predefined, hardcoded whitelist (separate from the main upstream configuration, if necessary).
      • Reject any input that doesn't match the expected format.
    6. Configuration Review (Pingora Configuration): Regularly review the pingora configuration file(s) to ensure the upstream whitelist remains accurate and up-to-date.
    7. Automated Testing (Targeting Pingora): Create automated tests that specifically target pingora. These tests should attempt to connect to unauthorized upstream servers through pingora and verify that pingora correctly rejects the connections according to its configuration.

  • Threats Mitigated:

    • Server-Side Request Forgery (SSRF): (Severity: Critical) - Prevents attackers from using pingora to make requests to internal or unintended services.
    • Unintended Service Exposure: (Severity: High) - Prevents accidental exposure of internal services via pingora.
    • Bypass of Security Controls: (Severity: High) - Prevents attackers from bypassing network security by routing through pingora.
    • Data Exfiltration: (Severity: High) - Reduces the risk of data exfiltration through pingora.

  • Impact:

    • SSRF: Risk significantly reduced (almost eliminated with correct pingora configuration).
    • Unintended Service Exposure: Risk significantly reduced (directly controlled by pingora's configuration).
    • Bypass of Security Controls: Risk significantly reduced (dependent on pingora's configuration).
    • Data Exfiltration: Risk significantly reduced.

  • Currently Implemented: (Example - Needs to be filled in by the development team)

    • Upstream whitelist: Partially implemented in config/pingora.toml.
    • SSRF validation (within a pingora filter): Not implemented.
    • Automated tests: Basic tests for valid upstreams, but no tests for unauthorized access through pingora.

  • Missing Implementation: (Example - Needs to be filled in by the development team)

    • SSRF validation filter needs to be implemented within pingora.
    • Automated tests need to specifically target pingora's rejection of unauthorized upstream access.
    • Regular pingora configuration review process needs to be formalized.

Mitigation Strategy: Secure Header Handling (within Pingora)

Mitigation Strategy: Secure Header Handling (within Pingora)

  • Description:

    1. Header Inventory: List all HTTP headers processed by pingora.
    2. Whitelist/Blacklist (Pingora Configuration/Filters): Within pingora's configuration or using pingora's filter/callback system:
      • Whitelist: Define which headers pingora should allow. This is the preferred approach.
      • Blacklist: Define which headers pingora should block. Less secure, but sometimes necessary.
    3. Sanitization (Pingora Filters): For allowed headers that might contain untrusted data, implement sanitization within pingora filters. This is crucial for preventing header injection.
    4. Removal (Pingora Configuration/Filters): Configure pingora (via configuration or filters) to remove unnecessary or sensitive headers (e.g., Server, X-Powered-By).
    5. X-Forwarded-For Handling (Pingora Configuration/Filters): Configure pingora specifically to handle X-Forwarded-For:
      • Validate the format if trusting the client's header.
      • Append the client's IP (obtained by pingora) instead of replacing.
      • Remove and replace if not trusting the client.
    6. X-Real-IP Handling (Pingora Configuration/Filters): Similar to X-Forwarded-For, configure pingora's handling of X-Real-IP.
    7. Custom Headers (Pingora Configuration/Filters): Review and securely configure pingora's handling of any custom headers.
    8. Automated Tests (Targeting Pingora): Create tests that send requests to pingora with malicious headers. Verify that pingora (via its configuration and filters) handles them correctly.

  • Threats Mitigated:

    • Header Injection Attacks: (Severity: High) - Prevents attackers from injecting malicious headers via pingora.
    • Information Disclosure: (Severity: Medium) - Prevents leakage of sensitive information through headers processed by pingora.
    • IP Spoofing: (Severity: Medium) - Reduces IP spoofing risk through pingora.
    • Cross-Site Scripting (XSS) (Indirectly): (Severity: High) - Sanitizing headers within pingora can help prevent XSS.

  • Impact:

    • Header Injection: Risk significantly reduced (directly controlled by pingora's configuration and filters).
    • Information Disclosure: Risk significantly reduced.
    • IP Spoofing: Risk reduced.
    • XSS (Indirectly): Risk reduced.

  • Currently Implemented: (Example)

    • Basic header removal in pingora's configuration.
    • No sanitization or whitelisting within pingora.
    • X-Forwarded-For is appended by pingora, but without validation.

  • Missing Implementation: (Example)

    • Header whitelisting/blacklisting needs to be implemented in pingora's configuration or filters.
    • Sanitization functions need to be implemented as pingora filters.
    • X-Forwarded-For validation needs to be added to pingora.
    • Automated tests targeting pingora's header handling are missing.

Mitigation Strategy: Enforce Strong TLS Configuration (within Pingora)

Mitigation Strategy: Enforce Strong TLS Configuration (within Pingora)

  • Description:

    1. TLS Version (Pingora Configuration): Configure pingora (in its configuration file) to use TLS 1.3 only, if possible. If necessary, allow TLS 1.2 as a fallback, but disable older versions. This is a direct pingora setting.
    2. Cipher Suites (Pingora Configuration): Specify a list of strong cipher suites within pingora's configuration. Prioritize forward secrecy (ECDHE, DHE). Disable weak ciphers. This is a direct pingora setting.
    3. Certificate Validation (Upstream - Pingora Configuration): Configure pingora to perform strict certificate validation for upstream connections:
      • Verify validity period.
      • Verify the chain of trust.
      • Verify the hostname matches.
      • Consider certificate pinning (within pingora's configuration, if supported).
    4. Certificate Pinning (Optional - Pingora Configuration): If supported by pingora, configure certificate pinning for critical upstreams.
    5. HSTS (HTTP Strict Transport Security - Pingora Configuration): Configure pingora to send the HSTS header. This is a pingora configuration setting.
    6. OCSP Stapling (Pingora Configuration): Enable OCSP stapling within pingora's configuration, if supported.
    7. Regular Key/Certificate Rotation: Implement a process for rotating TLS keys and certificates used by pingora.
    8. Automated Testing (Targeting Pingora): Use tools like testssl.sh to test pingora's own TLS configuration.

  • Threats Mitigated:

    • Man-in-the-Middle (MitM) Attacks: (Severity: Critical) - Strong TLS configuration in pingora prevents MitM attacks.
    • Downgrade Attacks: (Severity: High) - Disabling weak TLS versions/ciphers in pingora prevents downgrade attacks.
    • Information Disclosure: (Severity: High) - Encrypting traffic with pingora prevents eavesdropping.

  • Impact:

    • MitM Attacks: Risk significantly reduced (almost eliminated with proper pingora configuration).
    • Downgrade Attacks: Risk significantly reduced (controlled by pingora's settings).
    • Information Disclosure: Risk significantly reduced.

  • Currently Implemented: (Example)

    • TLS 1.2 and 1.3 are enabled in pingora's configuration.
    • Default cipher suites are used by pingora, but not reviewed.
    • Basic certificate validation by pingora, but not hostname verification.
    • HSTS is not enabled in pingora.

  • Missing Implementation: (Example)

    • Cipher suite list needs review and updating within pingora's configuration.
    • Hostname verification needs to be added to pingora's certificate validation.
    • HSTS needs to be enabled in pingora's configuration.
    • OCSP stapling should be considered (if supported by pingora).
    • Automated TLS testing targeting pingora is needed.

Mitigation Strategy: Rate and Connection Limiting (within Pingora)

Mitigation Strategy: Rate and Connection Limiting (within Pingora)

  • Description:

    1. Identify Resources: Determine which resources (upstream servers, endpoints) pingora should protect.
    2. Define Limits (Pingora Configuration): Configure pingora (using its configuration mechanisms) to set limits:
      • Requests per Second (RPS) per client/IP/etc.
      • Connections per Second (CPS).
      • Total Concurrent Connections.
    3. Granularity (Pingora Configuration): Configure the granularity of limits within pingora (per client IP, globally, etc.).
    4. Error Handling (Pingora Configuration): Configure pingora to return appropriate error responses (e.g., 429) when limits are exceeded.
    5. Monitoring: Monitor pingora's metrics to track the effectiveness of rate limiting.
    6. Testing (Targeting Pingora): Simulate high traffic loads to pingora to test its rate limiting configuration.

  • Threats Mitigated:

    • Denial-of-Service (DoS) Attacks: (Severity: High) - pingora protects upstreams from overload.
    • Brute-Force Attacks: (Severity: Medium) - pingora can slow down brute-force attempts.
    • Resource Exhaustion: (Severity: High) - pingora prevents resource exhaustion.
    • Web Scraping: (Severity: Low) - pingora can hinder web scraping.

  • Impact:

    • DoS Attacks: Risk significantly reduced (directly controlled by pingora).
    • Brute-Force Attacks: Risk reduced.
    • Resource Exhaustion: Risk significantly reduced.
    • Web Scraping: Risk reduced.

  • Currently Implemented: (Example)

    • No rate limiting or connection limiting is configured in pingora.

  • Missing Implementation: (Example)

    • Rate limiting and connection limiting need to be configured within pingora.
    • Monitoring of pingora's rate limiting metrics is needed.
    • Testing pingora under high load is required.

Mitigation Strategy: Stay Up-to-Date and Monitor for Vulnerabilities (of Pingora)

Mitigation Strategy: Stay Up-to-Date and Monitor for Vulnerabilities (of Pingora)

  • Description:

    1. Subscribe to Updates: Subscribe to the pingora project's release notifications and security advisories.
    2. Regular Updates: Establish a schedule for updating the pingora library itself to the latest stable version.
    3. Dependency Management: Use Cargo (or equivalent) to manage and update pingora's dependencies.
    4. Vulnerability Scanning: Use SAST/DAST tools to scan the pingora library and its dependencies for vulnerabilities. This is about finding vulnerabilities in pingora, not in your application logic.
    5. Security Audits: Conduct audits focusing on the pingora deployment and configuration.

  • Threats Mitigated:

    • Exploitation of Known Vulnerabilities (in Pingora): (Severity: Variable, up to Critical) - Reduces the risk of exploiting vulnerabilities in the pingora library itself.

  • Impact:

    • Exploitation of Known Vulnerabilities: Risk significantly reduced (by keeping pingora updated).

  • Currently Implemented: (Example)

    • No formal process for monitoring pingora updates.
    • pingora's dependencies are updated sporadically.

  • Missing Implementation: (Example)

    • Formal process for monitoring pingora updates is needed.
    • pingora's dependency management needs improvement.
    • Vulnerability scanning of pingora itself needs to be integrated.
    • Security audits focusing on the pingora deployment are needed.