Sim, I think the important danger in Jini is the use of objects. In simple messaging communication (especially if non-binary), you don't have to worry about objects. In Jini, any method can take and object as a parameter that results in serialisation and unmarshalling at the receiver end. When an object has something nasty executing during within the readObject() method, it's too late to do anything. We had made experiments putting an infinite loop into an object's default constructor (I think) and you got a 100% CPU load at the service side before even knowing what the object was. We had the solution to use certificates and only accept service invocations from trusted parties but this is very difficult to enforce over the Internet. (or you have to contrain the system to a specific task that is only used by a closed group via the Internet).
Zoltan ================================= Dr Zoltan Juhasz Dept of Electrical Engineering and Information Systems Pannon University (formerly University of Veszprem) Veszprem, Hungary > -----Original Message----- > From: Sim IJskes - QCG [mailto:[email protected]] > Sent: 29 September 2010 10:50 > To: [email protected] > Subject: Re: Towards Internet Jini Services (dos attacks) > > On 29-09-10 10:26, Zoltan Juhasz wrote: > > > and > > unmarshalling and object movements may help DoS attacks to > happen, etc, etc. > > Could you explain the basic difference between RPC and > messaging within the context of DOS attacks? > > The only difference i see right now, is that RPC mandates an > ordered relation between the request- and reply messages. > Does this theorically create an extra opportunity for DOS attacks? > > Gr. Sim > > -- > QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl > Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397 > > _____________ NOD32 5487 (20100928) Információ _____________ > > Az üzenetet a NOD32 antivirus system megvizsgálta. > http://www.nod32.hu > >
