Skip to content

Latest commit

 

History

History
69 lines (50 loc) · 5.51 KB

mitigations.md

File metadata and controls

69 lines (50 loc) · 5.51 KB

Mitigation Strategies Analysis for qdrant/qdrant

Mitigation Strategy: Strict Resource Limits (Qdrant Configuration)

  1. Analyze Resource Usage: Monitor Qdrant's CPU, memory, and disk I/O usage under normal and peak load conditions.
  2. Set Memory Limits:
    • Configure storage.mmap_threshold_kb in Qdrant's configuration file. This setting determines when Qdrant uses memory-mapped files (mmap) for storage. Set this appropriately based on available RAM and expected data size. Too low, and performance suffers; too high, and you risk out-of-memory errors.
    • Configure storage.max_segment_number. This limits the number of segments Qdrant creates. Too many segments can lead to performance degradation.
  3. Set Vector Size Limits:
    • Within your application logic before sending data to Qdrant, enforce a maximum vector dimensionality. Qdrant doesn't have a built-in limit, so this must be done in the application. Reject any vectors exceeding this limit. This prevents attackers from sending excessively large vectors to exhaust resources.
  4. Set limits on the maximum number of vectors:
    • Configure storage.max_vectors_per_segment to limit the number of vectors that can be stored in a single segment.
  5. Configure HNSW parameters:
    • Configure hnsw_config.m, hnsw_config.ef_construct, and hnsw_config.full_scan_threshold to control the memory usage and performance of the HNSW index.
  6. Configure Optimizers:
    • Configure optimizers_config to control the behavior of the optimizers, which can impact memory usage and performance.

Threats Mitigated:

  • Denial of Service (DoS) via Resource Exhaustion: (Severity: High) - Prevents attackers from overwhelming Qdrant by consuming excessive memory, disk space, or CPU cycles.

Impact:

  • DoS: Significantly reduces the risk of DoS attacks caused by resource exhaustion. (Risk Reduction: High)

Currently Implemented: [Placeholder: e.g., "mmap_threshold_kb is set to 2048000 (2GB). max_segment_number is set to 10. No vector size limit is enforced in Qdrant (must be done in application logic)."]

Missing Implementation: [Placeholder: e.g., "Need to fine-tune mmap_threshold_kb and max_segment_number based on further performance testing. Vector size limit is enforced in application, not Qdrant configuration."]

Mitigation Strategy: Separate Index for Untrusted Data (Using Qdrant Collections)

  1. Create Separate Collections:
    • Within Qdrant, create distinct collections for data from different trust levels. For example:
      • qdrant.create_collection(collection_name="trusted_vectors", ...)
      • qdrant.create_collection(collection_name="untrusted_vectors", ...)
    • Use a consistent naming convention to easily identify the trust level of each collection.
  2. Configure (If using Authentication):
    • If Qdrant is configured with authentication (API keys), create separate API keys with access restricted to specific collections. For example, an API key for the application component handling untrusted data should only have access to the untrusted_vectors collection. This is done through Qdrant's access control mechanisms.
  3. Application Logic: Ensure your application uses the correct collection name when interacting with Qdrant, based on the data source.

Threats Mitigated:

  • Data Poisoning / Model Poisoning: (Severity: High) - Isolates potentially poisoned data within a separate Qdrant collection, preventing it from contaminating trusted data.

    Impact:

  • Data Poisoning: Significantly reduces the impact of poisoning attacks by limiting their scope. (Risk Reduction: High)

Currently Implemented: [Placeholder: e.g., "All data is currently stored in a single Qdrant collection named 'all_vectors'."]

Missing Implementation: [Placeholder: e.g., "Need to create separate Qdrant collections ('trusted_vectors', 'untrusted_vectors') and update application code to use the correct collection based on data source. Configure API keys if authentication is enabled."]

Mitigation Strategy: Configure Qdrant with Authentication

  1. Enable Authentication:
    • Configure Qdrant to require API keys for all requests. This is typically done through Qdrant's configuration file (e.g., setting service.api_key or similar).
  2. Generate API Keys:
    • Create strong, unique API keys.
  3. Distribute Keys Securely:
    • Provide the API keys to the application components that need to access Qdrant, using secure methods (e.g., environment variables, secrets management systems).
  4. Use API Keys in Requests:
    • Ensure that all requests from your application to the Qdrant API include the appropriate API key in the headers (usually api-key header).

Threats Mitigated:

  • Unauthorized Access: (Severity: High) - Prevents unauthorized clients from accessing the Qdrant API.

Impact:

  • Unauthorized Access: Significantly reduces the risk of unauthorized access. (Risk Reduction: High)

Currently Implemented: [Placeholder: e.g., "Qdrant is currently running without authentication enabled."]

Missing Implementation: [Placeholder: e.g., "Need to enable authentication in Qdrant's configuration, generate API keys, and update the application to include the API key in all requests."]