You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Jim Gomes (JIRA)" <ji...@apache.org> on 2013/02/26 23:14:13 UTC
[jira] [Work stopped] (AMQNET-415) Client with wrong credentials
overloads server when using failover
[ https://issues.apache.org/jira/browse/AMQNET-415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on AMQNET-415 stopped by Jim Gomes.
> Client with wrong credentials overloads server when using failover
> ------------------------------------------------------------------
>
> Key: AMQNET-415
> URL: https://issues.apache.org/jira/browse/AMQNET-415
> Project: ActiveMQ .Net
> Issue Type: Bug
> Components: ActiveMQ, NMS
> Affects Versions: 1.5.6
> Environment: ActiveMQ Broker 5.6.0
> Reporter: Jim Gomes
> Assignee: Jim Gomes
> Priority: Minor
> Labels: authentication, failover
> Fix For: 1.5.7
>
>
> If the ActiveMQ broker has been secured to enforce login credentials, the NMS client will continually attempt to authenticate against it if it is using the failover protocol.
> Steps to Reproduce:
> ----------------------
> 1. Configure the broker to require login credentials for connections.
> 2. Configure the NMS client to use failover mode.
> 3. Configure the NMS client with incorrect login credentials.
> 4. Attempt to connect the NMS client to the server.
> Results:
> ----------------------
> The client reattempts login continuously without backing off, and has a significant impact on the performance of the server.
> Expected:
> ----------------------
> The client should not enter failover, because it never successfully connected, and it would never expect to connect.
> Notes:
> ----------------------
> This was experienced using the OpenWire client, but a similar bug may exist in the STOMP client's failover code.
> The broker may also want to protect itself against this, as this is an easy attack vector for a DDoS. Just a couple of clients attempting to login with invalid credentials can dramatically impact the server's performance, not just the broker.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira