-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve the CAS error message generated when an IOC gets port-scanned #128
Comments
Taking a look the original post, the error message was:
Printed by this function. Putting back together the standard message header, defined here, the header content was (in hex):
which converted to ASCII is:
So, in that case the error was produce by an HTTP GET command, and not by a port scanner. So, the issue is now easy to reproduce. Just try to open http connection pointing to an EPICS server TCP port. $ links -source http://172.16.125.2:36533
0����GET / HTTP/1.1
CAS: Client version 0 too old This generates almost an identical error message in the EPICS IOC:
|
FYI. security scanners like to look for common services on uncommon ports. So I suspect this was a scanner looking for unauthorized HTTP servers. |
Also, an example of my PVXS library logging a short PVA message:
Feel free to borrow (or not) from |
That's a good point. That would make more sense that a real HTTP connection. |
I've read through this issue, PR 141, and the EPICS tech-talk post. I've built the latest 7.0 and tested it with the links suggestion from Jesus' previous work, to confirm that the Client version too old message is still there. I've built Jesus' PR and tested it with links. A message shows up only if CASDEBUG=1: CAS: Invalid command rejected. It is not clear to me what is missing for having this PR merged. |
After talking with @mdavidsaver, these were the points brought up:
|
I think that I've found a problem. I'm testing an IOC with the code in PR 141, containing the following record:
I've caput to it with 1000 values, using this bash script: elements=""
for i in {1..1000}
do
elements+="${i} "
done
caput -a waves $i $elements The IOC complained and answered back to caput with: CAS: Invalid payload size rejected caput requested a write command using the standard protocol, but if you see the contents of the header:
The payload size is 40000, but caput used the standard protocol, not the extended one. From this document - https://epics.anl.gov/base/R3-16/0-docs/CAproto/index.html - I see
I've tested other values for caput and it only switches from standard to extended protocol when the payload has more than 65536 bytes. Should we change the description in the protocol specification to officialy allow standard protocol with more than 16368 bytes? Should we, instead, fix EPICS base to match the protocol description and increase the minor version to have an additional condition in a way of maintaining compatibility with other EPICS versions? |
cf.
|
Good catch! |
As we’ve identified that the payload size is allowed to have any number, it can’t be used alone to identify a valid CA message. Going back to the original suggestion: check the command number to identify a valid message. @mdavidsaver suggested using CA_PROTO_LAST_CMMD + 16 to make room for newer clients with more commands to have their message identified as valid. This would currently prevent 1-(28+16)/65536 = 99.93% of non-CA clients messages that send something random in the command field. For the remaining 0.07% of the cases, we can create a combination between the command field with another field to limit the chances of a non-CA client having a message recognized as CA valid. In pseudo-code, this is what I’m planning:
Please, see if you see any catches with this idea and if it is ok to implement it. |
I don't remember what the state is that you're detecting, so don't assume that what I suggest below is sensible/possible. Don't we have a good idea what message(s) all our past clients send at the start of a new TCP connection? I would have thought we could reject anything that doesn't start with one of those first messages, rather than potentially allowing through any message. For instance I don't see how a real client could ever send a There might be several possible such messages, but I would have thought this could pare down the allowed list. I'm sure if I'm wrong Michael will be able to explain how/why though. Thanks, these messages do tend to scare our users a little so I'd love to get rid of them. |
Andrew, the original suggestion and the subsequent solution implementation was focusing on every message arriving at the IOC, no matter if it was from a client starting the communication or continuing it. Your suggestion would imply that, if the message is not the starting point of a communication, we would just need to check if the client ID is already registered, right? Then, the only test for validity of the header format would be applied for the initial command. I had already finished a solution in PR 141 when your message came, and I ended up pushing it. I'm happy to change everything to implement another idea if you want. This is being a nice learning experience to me. |
Hi Márcio, no don't change what you've already completed. I don't know the code as well as Michael does so my suggestion might not even be possible, although if it is we might want consider doing it as well. I will defer any decision on the idea to him. |
I'm not sure if trying to do so much validation early in I worry we have unconsciously allowed the scope of this PR to creep. Remember that the goal is to reduce log noise. Simply omitting |
Ok, @mdavidsaver. I agree with you. I'll go back to origins and flag the CA message as invalid only if command > CA_PROTO_LAST_CMMD + 16. Please, just confirm to me if the message should be printed on the IOC shell only if CASDEBUG != 0. |
I'm copying here the issue published in the codeathon ideas list: improve-the-cas-error-message-generated-when-an-ioc-gets-port-scanned
The text was updated successfully, but these errors were encountered: