You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Claudius Heine (JIRA)" <ji...@apache.org> on 2016/11/11 10:39:58 UTC
[jira] [Created] (THRIFT-3970) Server does not limititate client
connections
Claudius Heine created THRIFT-3970:
--------------------------------------
Summary: Server does not limititate client connections
Key: THRIFT-3970
URL: https://issues.apache.org/jira/browse/THRIFT-3970
Project: Thrift
Issue Type: Bug
Components: C++ - Library
Affects Versions: 0.9.3
Reporter: Claudius Heine
Attachments: TestServer.patch, ThriftDOSAttack.py
Currently the connection from clients are only closed by the server when a receive timeout is configured or the client is sending invalid messages that cause exceptions on the server (with THRIFT-3957 and THRIFT-3961 merged).
That means that the client can continue to occupy a limited open connection, as long as it sends valid messages in regular intervals.
The appended patch enables the connection limit and receive timeout on the TestServer and the appended python script opens many connections to it, thus rapidly exhausting the client connection limit.
Starting the server:
{code}
$ bin/TestServer --protocol=json --transport=http --server-type=thread-pool --port=9080
{code}
Starting the script:
{code}
$ ./ThriftDOSAttack.py http://localhost:9080 3
{code}
After a short period the connection limit of the server should be exhausted and new connections are denied.
To stop the python script you have to do this in a seperate terminal:
{code}
$ kill $(pgrep -f "ThriftDOSAttack.py")
{code}
Here are a view ideas to prevent this scenario:
- Implement traffic limitation of every connection, after limit is reached, disconnect the client.
- Limit size of a single RPC call and limit number of calls per connection
- Limit number of connections per IP
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)