You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by "Jim Gomes (JIRA)" <ji...@apache.org> on 2013/02/26 23:14:13 UTC

[jira] [Resolved] (AMQNET-415) Client with wrong credentials overloads server when using failover

     [ https://issues.apache.org/jira/browse/AMQNET-415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jim Gomes resolved AMQNET-415.
------------------------------

    Resolution: Fixed
    
> Client with wrong credentials overloads server when using failover
> ------------------------------------------------------------------
>
>                 Key: AMQNET-415
>                 URL: https://issues.apache.org/jira/browse/AMQNET-415
>             Project: ActiveMQ .Net
>          Issue Type: Bug
>          Components: ActiveMQ, NMS
>    Affects Versions: 1.5.6
>         Environment: ActiveMQ Broker 5.6.0
>            Reporter: Jim Gomes
>            Assignee: Jim Gomes
>            Priority: Minor
>              Labels: authentication, failover
>             Fix For: 1.5.7
>
>
> If the ActiveMQ broker has been secured to enforce login credentials, the NMS client will continually attempt to authenticate against it if it is using the failover protocol.
> Steps to Reproduce:
> ----------------------
> 1. Configure the broker to require login credentials for connections.
> 2. Configure the NMS client to use failover mode.
> 3. Configure the NMS client with incorrect login credentials.
> 4. Attempt to connect the NMS client to the server.
> Results:
> ----------------------
> The client reattempts login continuously without backing off, and has a significant impact on the performance of the server.
> Expected:
> ----------------------
> The client should not enter failover, because it never successfully connected, and it would never expect to connect.
> Notes:
> ----------------------
> This was experienced using the OpenWire client, but a similar bug may exist in the STOMP client's failover code.
> The broker may also want to protect itself against this, as this is an easy attack vector for a DDoS.  Just a couple of clients attempting to login with invalid credentials can dramatically impact the server's performance, not just the broker.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira