Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3970

Server does not limititate client connections

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 0.9.3
    • Fix Version/s: 0.9.3
    • Component/s: C++ - Library
    • Labels:

      Description

      Currently the connection from clients are only closed by the server when a receive timeout is configured or the client is sending invalid messages that cause exceptions on the server (with THRIFT-3957 and THRIFT-3961 merged).
      That means that the client can continue to occupy a limited open connection, as long as it sends valid messages in regular intervals.

      To demonstrate the issue the appended patch enables the connection limit and receive timeout on the TestServer and the appended python script opens many connections to it, thus rapidly exhausting the client connection limit.

      Starting the server:

      $ bin/TestServer --protocol=json --transport=http --server-type=thread-pool --port=9080
      

      Starting the script:

      $ ./ThriftDOSAttack.py http://localhost:9080 3
      

      After a short period the connection limit of the server should be exhausted and new connections are denied.

      To stop the python script you have to do this in a seperate terminal:

      $ kill $(pgrep -f "ThriftDOSAttack.py")
      

      Here are a view ideas to prevent this scenario:

      • Implement traffic limitation of every connection, after limit is reached, disconnect the client.
      • Limit size of a single RPC call and limit number of calls per connection
      • Limit number of connections per IP

        Attachments

        1. TestServer.patch
          3 kB
          Claudius Heine
        2. ThriftDOSAttack.py
          2 kB
          Claudius Heine

          Issue Links

            Activity

              People

              • Assignee:
                jking3 James E. King III
                Reporter:
                cmhe Claudius Heine
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: