8

I am currently adding a subsite to some websites that allows me to monitor performance data live as the server software perceives it. The data is mostly stuff like amount of memory used, memory allocated, memory freed during last garbage collection, parallelity, uptime, etc. Error messages, logs, software version etc are not part of the data.

A part of my visitors is a bit geeky, so I thought it might be interesting for them if I exposed the subsite instead of hiding it behind an admin account.

What I am unsure about are the security implications. I have come up with two risks: the data might help do ddos attacks (information about timing and results is right there) and it might expose very rough ideas about visitor behaviour to "competitors".

But I have a feeling I am not creative enough (and not smart enough to find good google words). How have attackers used such information in the past?

MarLinn
  • 238
  • 1
  • 5
  • 1
    I believe that, depending on the specifics of the data you provide, you might be opening yourself up to a [timing attack](https://en.wikipedia.org/wiki/Timing_attack). For example, if you give the average amount of time it takes your server to respond to a request, an attacker will know that if they send a malicious request and wait significantly longer for a response than what you posted, they may have found a vulnerability. – Kevin Feb 28 '16 at 03:37
  • 1
    It will possibly make DoS attacks much easier. – Paul Draper Feb 28 '16 at 04:20
  • 1
    FWIW, GitHub does it - for all the system as a whole. – Deer Hunter Feb 28 '16 at 06:32

1 Answers1

13

So I have to admit that my first reaction was "I would never do this." That, however, may be more because I, historically, don't like to let anybody know anything they don't need to, than for any real security reason.

So that said, the only security issues I can think of are fairly limited, and fairly esoteric. It could be used to find a DoS or DDoS vector, if a) an attacker goes to the effort to profile your app, and b) happens to stumble upon the exact action required to stress your resources and c) it shows up definitively, or at least reasonably on your report. That said, it's way easier just to buy some time on a botnet and throw some traffic at you, so the actual risk from the perf data itself is likely quite low. The only exception would be if a quick look at the data shows that your site is either already under stress, or suffers under load easily. If it advertised significant weaknesses to the world, then it's conceivable that someone might act maliciously on that information.

As to the threat from competitors, that's up to you to measure how much of a risk that really is. Certianly lots of sites publish their traffic numbers, and for some it's quite critical to do so in order to attract advertisers, so unless you have specific reasons for wanting to keep the numbers under wraps, it may not be such a big deal. Server perf is also not the only way, or even the best way to estimate traffic, other than perhaps general up/down trends.

So, while I'm not ready to sign off on this as a great idea, the actual security risk is probably on the low side.

Xander
  • 35,525
  • 27
  • 113
  • 141