I found the issue below concerning inactive client connections (see Cassandra
Security<http://jkb.netii.net/index.php/pub/sinosqldb/cassandra-security>). We
are using Cassandra 1.2.4 and the Cassandra JDBC driver as client. Is this
still an existing issue?
Quoted from site above:
Denial of Service problem:
Cassandra uses a Thread- Per-Client model in its network code. Since setting up
a connection requires the Cassandra server to start a new thread on each
connection (in addition to the TCP overhead incurred by the network), the
Cassandra project recommends utilizing some sort of connection pooling. An
attacker can prevent the Cassandra server from accepting new client connections
by causing the Cassandra server to allocate all its resources to fake
connection attempts. The only pieces of information required by an attacker are
the IP addresses of the cluster members, and this information can be obtained
by passively sniffing the network. The current implementation doesn't timeout
inactive connections, so any connection that is opened without actually passing
data consumes a thread and a file-descriptor that are never released.
