You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Leo Riguspi (JIRA)" <ji...@apache.org> on 2015/06/05 17:47:00 UTC

[jira] [Updated] (AMQ-5829) Fake AMQP connections remain in ActiveMQ and cause denial of service

     [ https://issues.apache.org/jira/browse/AMQ-5829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leo Riguspi updated AMQ-5829:
-----------------------------
    Description: 
Telnet connections on amqp and amqp+ssl transports remain visible in ActiveMQ (only from JMX!) even after they have been closed. Same happens for openssl connections.

This causes the maximumConnections limit to be reached and no more connections are accepted!!!

And it is therefore easy to perform a DoS.

To reproduce:
- configure ActiveMQ with the amqp or amqp+ssl transport
- monitor the connections via JMX, with jconsole (clientConnectors->amqp->remoteAddress)
- telnet on the transport port number
- see the new connection in Jconsole
- close the telnet session completely
- connection is still visible in jconsole

If you set the maximumConnections to 3, after three telnets nobody can connect!

  was:
Telnet connections on amqp and amqp+ssl transports remain visible in ActiveMQ (only from JMX!) even after they have been closed. Same happens for openssl connections.

This causes the maximumConnections limit to be reached and no more connections are accepted!!!

And it is therefore easy to perform a DoS.

To reproduce:
- configure ActiveMQ with the amqp or amqp+ssl transport
- monitor the connections via JMX, with jconsole (clientConnectors->amqp->remoteAddress)
- telnet on the transport port number
- see the new connection in Jconsole
- close the telnet session completely
- connection is still visible in jconsole

If you set the maximumConnections to 3, after three telnets nobody can connect!
- check


> Fake AMQP connections remain in ActiveMQ and cause denial of service
> --------------------------------------------------------------------
>
>                 Key: AMQ-5829
>                 URL: https://issues.apache.org/jira/browse/AMQ-5829
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Connector
>    Affects Versions: 5.11.1
>         Environment: Linux RedHat 5.5
>            Reporter: Leo Riguspi
>            Priority: Critical
>
> Telnet connections on amqp and amqp+ssl transports remain visible in ActiveMQ (only from JMX!) even after they have been closed. Same happens for openssl connections.
> This causes the maximumConnections limit to be reached and no more connections are accepted!!!
> And it is therefore easy to perform a DoS.
> To reproduce:
> - configure ActiveMQ with the amqp or amqp+ssl transport
> - monitor the connections via JMX, with jconsole (clientConnectors->amqp->remoteAddress)
> - telnet on the transport port number
> - see the new connection in Jconsole
> - close the telnet session completely
> - connection is still visible in jconsole
> If you set the maximumConnections to 3, after three telnets nobody can connect!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)