[
https://issues.apache.org/jira/browse/THRIFT-5779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17840549#comment-17840549
]
Anshul Mohan Gupta commented on THRIFT-5779:
--------------------------------------------
[~emmenlau] Thanks for taking a look at the PR and I appreciate that you agree
with the PR. Letting any such external request kill the thrift server is an
ample opportunity for bad actors to make the applications unresponsive, so any
such request should be ignored and not let the thrift server killed. I believe
not all code paths in the thrift server should throw exceptions, at least the
ones that can potentially destroy the server. Let me know your thoughts on this
one. We may identify these critical paths and guard them against any DDoS
attacks. Thanks!
> Thrift server getting killed for incomplete requests
> -----------------------------------------------------
>
> Key: THRIFT-5779
> URL: https://issues.apache.org/jira/browse/THRIFT-5779
> Project: Thrift
> Issue Type: Bug
> Components: C++ - Library
> Affects Versions: 0.12.0
> Reporter: Anshul Mohan Gupta
> Assignee: Anshul Mohan Gupta
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The thrift server is getting killed when using security port scan tools in
> the hosts running the thrift server. These tools try to connect to the open
> ports by sending requests to the ports, and the error can happen when accept
> syscall call, waiting for an incoming connection, or receiving a connection
> that terminates before the accept process completes, hence killing the thrift
> server. This can cause potential DoS (Denial of service) attacks on the
> applications running the thrift server, causing them to become unresponsive.
> Sometimes, even just running the netcat (nc -zvvvw2 <hostname> <thrift server
> port>) on the port remote can kill the entire thrift server, making it
> unresponsive.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
