You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2012/10/10 04:44:09 UTC

[jira] [Updated] (TS-1422) TProxy + proxy.config.http.use_client_target_addr can caused site-specific DoS when DNS records are bad/stale or point to unreachable servers

     [ https://issues.apache.org/jira/browse/TS-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-1422:
------------------------------

    Fix Version/s: 3.3.2
    
> TProxy + proxy.config.http.use_client_target_addr can caused site-specific DoS when DNS records are bad/stale or point to unreachable servers
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: TS-1422
>                 URL: https://issues.apache.org/jira/browse/TS-1422
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: HTTP
>    Affects Versions: 3.2.0
>         Environment: Version 3.2 running with TProxy interception and proxy.config.http.use_client_target_addr == 1
>            Reporter: B Wyatt
>            Assignee: Alan M. Carroll
>             Fix For: 3.3.2
>
>
> In the presence of multiple A(AA) records from DNS, most consumer browsers will choose an alternate record if their current selected record is unreachable.  This allows the browser to successfully mitigate downed servers and stale/erroneous DNS entries.
> However, an intercepting proxy will establish a connection for a given endpoint regardless of the state of the upstream endpoint.  As a result, the browsers ability to detect downed origin servers is completely neutralized.
> When enabling proxy.config.http.use_client_target_addr this situation creates a localized service outage.  ATS will skip DNS checks in favor of using the endpoint address that the client was attempting to connect to during interception.  If this endpoint is unreachable, ATS will send an error response (50x) to the user browser.  Since the browser assumes this is from the Origin Server, it makes no attempt to move to the next DNS record. 
> In the event that a DNS record is erroneous or the most selected record (aka first?) points to a down server, this can deny access to a destination for users behind the transparent proxy, while users that are not intercepted merely see increased latency as their browser cycles through bad DNS entries looking for a good address.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira