000014472 - Denial of service (DOS) against the RSA Security Console

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014472
Applies ToRSA Authentication Manager 7.1
RSA Security Console
IssueDenial of service (DoS)
Cause

The concern is if a malformed password is played at the Security Console, will it simply reject it or will the console start to grind? For example, let?s say the console is expecting a passcode of 10 characters. A malicious ?insider? tries to upset the console by playing a 500 character password with all sorts of numbers, symbols, upper/lower case.


Will the console stop and ?grind? while it processes this 500 character password, effectively causing a Denial of Service (DoS) OR will the application act correctly and quickly reject the incorrect passcode.

Resolution

RSA Performance Engineering have performed a series of tests in line with this theoretical question, regarding the performance of the system when confronted by a malformed password which may contain many and obscure characters.


In all tests the system behaved correctly and as expected. 


As a short answer to the theoretical question, the answer is ?No?; the interface will not stop and grind on a 500 character password and the logic of the user interface will reject a 500 character password. Passwords (and Passcodes) need to be less than 256 characters in order to reach the backend for processing and passwords up to this size are processed efficiently by the backend (Passcodes have an inbuilt maximum length of 8 characters for a PIN and 8 characters for the tokencode).


On a default system, where many authentication attempts are played in quick succession against the system with any valid password length and with any combination of characters then system limits will be reached unless the attack is stopped by a different network device (firewall, IDS, IDP, etc).   A default system is configured to allow 5000 active sessions and even if this limit is reached then the system is robust enough not to crash but will return gracefully to normal operation once the attack has stopped affecting the system.


The system has several configuration options to avoid consuming excessive memory; specifically, in this instance, it limits the total number of in-memory sessions. This limit is controllable in the RSA Security Console and this configuration option should be tuned to suit your environment and DoS reaction expectations.  Additionally, the length of time sessions are kept can also be controlled,  the session lifetime named ?Abandoned/In-Progress? represents the amount of time the server keeps an unauthenticated user session where the default timeout is 3 minutes of inactivity or after 8 minutes maximum, whichever comes first.

Legacy Article IDa46760

Attachments

    Outcomes