[ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867239#comment-15867239 ]
Michael Han commented on ZOOKEEPER-2693: ---------------------------------------- As for patch for branch-3.4, I am thinking instead of disabling a subset of commands, we could just add a rate limiter. All commands will still be available to use (including the wchp/wchc ones), but they are rate limited not to cause any damages. Disabling a sub set of commands does not solve the root issue, and I imagine it might still be possible to do DOS on servers acceptor threads by just utilizing white listed four letter words at massive scale on client side. The configuration option of disabling 4lw or a subset of it seems an ultimate escape hatch - I guess it does not hurt to provide both as option for users, but for branch-3.4 it looks like rate limiter is a must have to address current and potential issues when the server client port is accessible from public. > DOS attack on wchp/wchc four letter words (4lw) > ----------------------------------------------- > > Key: ZOOKEEPER-2693 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693 > Project: ZooKeeper > Issue Type: Bug > Components: security, server > Affects Versions: 3.4.0, 3.5.1, 3.5.2 > Reporter: Patrick Hunt > Assignee: Michael Han > Priority: Blocker > Fix For: 3.4.10, 3.5.3 > > > The wchp/wchc four letter words can be exploited in a DOS attack on the ZK > client port - typically 2181. The following POC attack was recently published > on the web: > https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us > The most straightforward way to block this attack is to not allow access to > the client port to non-trusted clients - i.e. firewall the ZooKeeper service > and only allow access to trusted applications using it for coordination. -- This message was sent by Atlassian JIRA (v6.3.15#6346)