Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3970

Server does not limititate client connections



    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 0.9.3
    • Fix Version/s: 0.9.3
    • Component/s: C++ - Library
    • Labels:


      Currently the connection from clients are only closed by the server when a receive timeout is configured or the client is sending invalid messages that cause exceptions on the server (with THRIFT-3957 and THRIFT-3961 merged).
      That means that the client can continue to occupy a limited open connection, as long as it sends valid messages in regular intervals.

      To demonstrate the issue the appended patch enables the connection limit and receive timeout on the TestServer and the appended python script opens many connections to it, thus rapidly exhausting the client connection limit.

      Starting the server:

      $ bin/TestServer --protocol=json --transport=http --server-type=thread-pool --port=9080

      Starting the script:

      $ ./ThriftDOSAttack.py http://localhost:9080 3

      After a short period the connection limit of the server should be exhausted and new connections are denied.

      To stop the python script you have to do this in a seperate terminal:

      $ kill $(pgrep -f "ThriftDOSAttack.py")

      Here are a view ideas to prevent this scenario:

      • Implement traffic limitation of every connection, after limit is reached, disconnect the client.
      • Limit size of a single RPC call and limit number of calls per connection
      • Limit number of connections per IP


        1. TestServer.patch
          3 kB
          Claudius Heine
        2. ThriftDOSAttack.py
          2 kB
          Claudius Heine

          Issue Links



              • Assignee:
                jking3 James E. King III
                cmhe Claudius Heine
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: