[
https://issues.apache.org/jira/browse/THRIFT-3970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King III closed THRIFT-3970.
-------------------------------------
> Server does not limititate client connections
> ---------------------------------------------
>
> Key: THRIFT-3970
> URL: https://issues.apache.org/jira/browse/THRIFT-3970
> Project: Thrift
> Issue Type: Bug
> Components: C++ - Library
> Affects Versions: 0.9.3
> Reporter: Claudius Heine
> Assignee: James E. King III
> Priority: Major
> Labels: security
> Fix For: 0.9.3
>
> Attachments: TestServer.patch, ThriftDOSAttack.py
>
>
> Currently the connection from clients are only closed by the server when a
> receive timeout is configured or the client is sending invalid messages that
> cause exceptions on the server (with THRIFT-3957 and THRIFT-3961 merged).
> That means that the client can continue to occupy a limited open connection,
> as long as it sends valid messages in regular intervals.
>
> To demonstrate the issue the appended patch enables the connection limit and
> receive timeout on the TestServer and the appended python script opens many
> connections to it, thus rapidly exhausting the client connection limit.
> Starting the server:
> {code}
> $ bin/TestServer --protocol=json --transport=http --server-type=thread-pool
> --port=9080
> {code}
> Starting the script:
> {code}
> $ ./ThriftDOSAttack.py http://localhost:9080 3
> {code}
> After a short period the connection limit of the server should be exhausted
> and new connections are denied.
> To stop the python script you have to do this in a seperate terminal:
> {code}
> $ kill $(pgrep -f "ThriftDOSAttack.py")
> {code}
> Here are a view ideas to prevent this scenario:
> - Implement traffic limitation of every connection, after limit is reached,
> disconnect the client.
> - Limit size of a single RPC call and limit number of calls per connection
> - Limit number of connections per IP
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
