- Ransomware encrypts your files.
- You notice and want to restore a backup. Luckily, you thought ahead and have this append-only server, so the attacker could not delete anything.
- Unfortunately, because disk space is not infinite, you had your server set to run a forget+prune every month, and the attacker (in true Kerckhoff’s style: knowing your system but not your keys) created fake snapshots mere minutes before your cron job ran, causing your
forget
rule to think the real backups were stale and should be removed!
The threat model warns for some trick using the forget
command:
Note: It is not recommended to ever run forget automatically for an append-only backup to which a potentially compromised host has access because an attacker using fake snapshots could cause forget to remove correct snapshots.
—References — restic 0.16.3 documentation
One approach to solving this problem would be to simply include --keep-within 14d
to make an attacker wait at least 14 days between compromising your system and successfully deleting your backups. I use my computer more frequently than that, so I would notice if my files were encrypted in the meantime. However, the documentation makes short work of that attempted mitigation:
--keep-within duration
keep all snapshots which have been made within the duration of the latest snapshot
[…]All calendar related
--keep-*
options work on the natural time boundaries and not relative to when you run theforget
command.
—Removing backup snapshots — restic 0.16.3 documentation
Not sure what a natural time boundary is (are there unnatural time boundaries?) but the rest is pretty unambiguous: the attacker can add snapshots that were supposedly made in the year 2300 and forget
would happily remove all your other snapshots as being too ancient. Or if you try to keep N weekly, they would add >N bogus historic ones.
Is there any rule possible to keep snapshots for at least, let’s say, 14 days after they were added? Or does one need to write a custom script that does sanity checks on snapshot list (while the server is off to prevent race conditions) to use the append-only
feature effectively?
And is this the attack meant by the threat model? I checked the diff, the pull request thread and review comments, and the ticket that triggered adding a threat model in the first place, but no attack is mentioned concretely. After a while, I figured this must be it, but since I didn’t realize that append-only is not safe with forget
until the threat model hinted at it, there might be more I don’t realize yet.
(mods: please remove the `backticks` around those links. The stupid forum software doesn’t allow me to post more than two links, even if it’s all the same domain. Also, it sends spam by default to try and get me onto the forum (“Activity Summary”). I’m signed up for way too many discourse forums out there now, each with a new login, for this to be a convenient default setting…)