B Wyatt created TS-1422:
---------------------------
Summary: TProxy + proxy.config.http.use_client_target_addr can
caused site-specific DoS when DNS records are bad/stale or point to unreachable
servers
Key: TS-1422
URL: https://issues.apache.org/jira/browse/TS-1422
Project: Traffic Server
Issue Type: Bug
Components: HTTP
Affects Versions: 3.2.0
Environment: Version 3.2 running with TProxy interception and
proxy.config.http.use_client_target_addr == 1
Reporter: B Wyatt
Assignee: Alan M. Carroll
In the presence of multiple A(AA) records from DNS, most consumer browsers will
choose an alternate record if their current selected record is unreachable.
This allows the browser to successfully mitigate downed servers and
stale/erroneous DNS entries.
However, an intercepting proxy will establish a connection for a given endpoint
regardless of the state of the upstream endpoint. As a result, the browsers
ability to detect downed origin servers is completely neutralized.
When enabling proxy.config.http.use_client_target_addr this situation creates a
localized service outage. ATS will skip DNS checks in favor of using the
endpoint address that the client was attempting to connect to during
interception. If this endpoint is unreachable, ATS will send an error response
(50x) to the user browser. Since the browser assumes this is from the Origin
Server, it makes no attempt to move to the next DNS record.
In the event that a DNS record is erroneous or the most selected record (aka
first?) points to a down server, this can deny access to a destination for
users behind the transparent proxy, while users that are not intercepted merely
see increased latency as their browser cycles through bad DNS entries looking
for a good address.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
