[AMQ-5829] Fake AMQP connections remain in ActiveMQ and cause denial of service - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Duplicate
Affects Version/s: 5.11.1
Fix Version/s: 5.12.0
Component/s: Connector
Labels:
None
Environment:

Linux RedHat 5.5

Flags:

Important

Description

Telnet connections on amqp and amqp+ssl transports remain visible in ActiveMQ (only from JMX!) even after they have been closed. Same happens for openssl connections.

This causes the maximumConnections limit to be reached and no more connections are accepted!!!

And it is therefore easy to perform a DoS.

To reproduce:

configure ActiveMQ with the amqp or amqp+ssl transport
monitor the connections via JMX, with jconsole (clientConnectors->amqp->remoteAddress)
telnet on the transport port number
see the new connection in Jconsole
close the telnet session completely
connection is still visible in jconsole

If you set the maximumConnections to 3, after three telnets nobody can connect!

Attachments

Issue Links

relates to

AMQ-5731 AMQP: corrupted incoming frame can cause the connection to drop but not be unregistered on the Broker.

Resolved

AMQ-5757 AMQP: Add support for heartbeats and inactivity monitoring.

Resolved

AMQ-5587 AMQP shutdown transport if no connection attempt received after a configurable delay.

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Leo Riguspi

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/Jun/15 15:44

Updated:: 05/Jun/15 16:34

Resolved:: 05/Jun/15 16:34