[opencms-dev] DOS attacks made possible by image scaling?

a.westermann at alkacon.com a.westermann at alkacon.com
Wed Jun 10 10:54:28 CEST 2009 

Hi Claus, Paul, Mika,

thanks for bringing up this thought and sharing ideas. We had a little 
unoffical brainstorming here too. What about another configuration 
option to limit the maximum amount of different scaled versions for 
every image. Normally an image will only be available in one to three 
different versions. Another thought was to use a LRU Map for scaled 
images and upon dropping an entry delete the scaled version. To cover 
the CPU load in the latter possible solution the LRU Map could be 
checked if the most recent request was for the same image and within a 
certain time range and e.g. return an error in case of DOS detection. 
These are only ideas for now.

Turning off image scaling sounds hard but is safe. Are there any more 
ideas on this subject?

Kind Regards,
Achim.

-------------------
Achim Westermann

Alkacon Software GmbH  - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org

Visit OpenCms Days 2009 Conference and Expo
June 15 to June 16 2009 in Cologne, Germany
http://www.opencms-days.org


Claus Priisholm wrote:
> Ideally the parameters should be encrypted or better yet hashed so only 
> the combinations of parameters known to the server are accepted. There 
> is already some of this going on as the resulting images are cached with 
> an unique id. But it may not be easy. I haven't looked that much at the 
> code involved.
> 
> But there is a couple of things you can do. In the opencms-vfs.xml you 
> can disable the function by setting image.scaling.enabled = false.
> And, if you need it, you can set the image.scaling.maxsize to whatever 
> is the maximum you need, Often I find that the function is only used for 
> making thumbnails and in that case you may get away with a maxsize = 64 
> pixels or likewise rather than the default 1500 pixels. At least that 
> helps minimize the severity of a DOS attempt
> 
> Paul-Inge Flakstad wrote:
>> Hi Mika
>>  
>> This was a very interesting post, raising questions on an issue I 
>> haven't even thought about. I'm really looking forward to hear what the 
>> experts have to say about this.
>>  
>> Cheers,
>> Paul
>>
>>     ------------------------------------------------------------------------
>>     *From:* opencms-dev-bounces at opencms.org
>>     [mailto:opencms-dev-bounces at opencms.org] *On Behalf Of *Mika Salminen
>>     *Sent:* 9. juni 2009 21:42
>>     *To:* opencms-dev at opencms.org
>>     *Subject:* [opencms-dev] DOS attacks made possible by image scaling?
>>
>>     Hello,
>>
>>     OpenCms image scaling with request parameters (I.E.
>>     http://your.url/image.jpeg?__scale=w:50,h:50) is nice feature and
>>     allows for example easy thumbnail generation. But I believe that it
>>     provides multiple possibilities for a malicious user to play around.
>>
>>     Basic attacks could possibly be done as easily as just requesting
>>     the image with many different parameters many times in a row.
>>
>>     For example:
>>
>>     http://your.url/image.jpeg?__scale=w:1,h:1
>>     http://your.url/image.jpeg?__scale=w:1,h:2
>>     http://your.url/image.jpeg?__scale=w:1,h:3
>>     ...
>>     http://your.url/image.jpeg?__scale=w:1024,h:767
>>
>>     This would cause OpenCms to create and write to cache a new version
>>     of the image (of course if image with given parameters does already
>>     exist in cache it is not recreated).
>>
>>     Introduced kind of attack could cause performance problems for the
>>     server (I assume that the image processing is not very cheap), but
>>     it can also cause nasty things to happen in cache. For example if
>>     there is a published 1024x768 JPEG image on a OpenCms website
>>     malicious user can request for all the 1024*768=786432 size
>>     variations of the image thus creating ~14GB data to disk
>>     (Assumptions: 1byte/pixel, average JPEG compression ratio 1:10. You
>>     can check my calculations in attached java code). And of course if
>>     there are more than one image on the site, attack can be done for
>>     them too (other resize parameters could work too, haven't checked...).
>>
>>     The point is that creating large amounts of data to cache is easily
>>     possible for malicious users. Filling the disk can in many cases put
>>     down the whole server.
>>
>>     At least partial resolution for this problem could be limiting the
>>     image cache size and making it for example LRU style (I could not
>>     find that limiting is done already). This does not of course prevent
>>     possible performance DOS attack and also the cache could be rendered
>>     useless by the attacker.
>>
>>     Other options I could think of seem more complicated and would
>>     probably require the available image sizes to be known before render
>>     time.
>>
>>     So tell me what you think about all this? Am I correct or do I miss
>>     something?
>>
>>     -Mika
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list
>> To change your list options, or to unsubscribe from the list, please visit
>> http://lists.opencms.org/mailman/listinfo/opencms-dev
>

More information about the opencms-dev mailing list