You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Rob Godfrey (JIRA)" <ji...@apache.org> on 2014/08/08 21:13:11 UTC

[jira] [Commented] (QPID-5745) [Java Broker] Close the socket if authentication fails and a client does not send back command "connection.close-ok" as response to a broker "connection.close" during pre-defined period

    [ https://issues.apache.org/jira/browse/QPID-5745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14091175#comment-14091175 ] 

Rob Godfrey commented on QPID-5745:
-----------------------------------

Enabling the readerIdle() mechanism on the 0-8/9/9-1 codepath should go some way to resolve this issue.  There is a default "idle timeout" set on connection creation, and if no traffic is received in this timeframe the connection is automatically closed.

There would still exist the possibility of establishing a connection, failing to log in and simply sending heartbeats. So, a second level of protection such as adding a check in received(ByteBuffer ) on the protocol engine to ensure that the connection is closed if an authenticated connection is not established within a given period of time (10s say) might be reasonable.  This would also guard against people trying to DoS by opening connections and then sending one byte at a time every second or so.

> [Java Broker] Close the socket if authentication fails and a client does not send back command "connection.close-ok" as response to a broker "connection.close" during pre-defined period
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-5745
>                 URL: https://issues.apache.org/jira/browse/QPID-5745
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>    Affects Versions: 0.8, 0.10, 0.12, 0.14, 0.16, 0.18, 0.20, 0.22, 0.24, 0.26
>            Reporter: Alex Rudyy
>
> Close the socket if authentication fails and a client does not send back command "connection.close-ok" as response to a broker "connection.close" during pre-defined period.
> IoSender threads are left behind in this scenario might cause broker to run eventually out of memory.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org