mechanisms for restricting/throttling kerberos transactions

g.w@hurderos.org g.w at hurderos.org
Fri Nov 12 11:44:30 EST 2004 

On Nov 4, 11:40am, Albert Lunde wrote:
} Subject: mechanisms for restricting/throttling kerberos transactions

Good morning to Albert and everyone on the list.

> I'd like to know what mechanisms may exist for restricting kerberos
> transactions.
> 
> I'm interested in:
> 
> 1) restricting by source domain/IP
> 2) rate-limiting for a given source IP
> 3) denying access to IPs with a large number of failures
>   (with whitelist exceptions for known/trusted servers)
> 
> I'm interested in both generic MIT-compatible kerberos and kerberos using
> Active Directory.
> 
> Our first concern is with limiting the scope of password-guessing attacks,
> though there are probably some other applications.

There are any number of ways to attack the problem.  With respect to
limiting password-guessing attacks an initial first pass approximation
would be to enable pre-authentication.  It doesn't completely solve
the problem but does limit its applicability.

With respect to denying access there are also a number of ways to
accomplish that.  The use of kernel level firewalling is probably the
lowest level to attack the problem at.

A more dynamic implementation is probably best done at the KDC in
userspace.  If you are interested in that approach you may want to
take a look at the next Hurderos release which should be available the
week after next.

This release will include a plugin-in architecture based on shared
libraries for MIT's Kerberos distribution which would make
implementing these types of enhancements a bit more straight forward.
If MIT should choose to accept this architecture on the mainstream it
would also provide a mechanism for making these types of enhancements
more persistent across multiple releases as well.

The plugin-in architecture provides hooks for intercepting and
modifying the functionality of the KDC/kadmind at reasonably generic
points.  For example your solution could be implemented by
intercepting the AS_REQ and making decisions based on the source of
the request.

I'm afraid that I can't help you out on the Active Directory front.
We are focused on providing an open-architecture workalike.  Largely
because its manufacturer is probably not going to provide source level
extensibility.... :-)

>      Albert Lunde         Albert-Lunde at northwestern.edu (new address)

You may want to watch for the announcement or I would be happy to put
you on the 'Friends of Hurderos' list if you would like.

Take care, have a good weekend.

}-- End of excerpt from Albert Lunde

As always,
GW
------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
		    Home for Open-Source 'Uberware'
                       http://www.hurderos.org

More information about the Kerberos mailing list