activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jim Gomes (JIRA)" <jira+amq...@apache.org>
Subject [jira] [Resolved] (AMQNET-415) Client with wrong credentials overloads server when using failover
Date Tue, 26 Feb 2013 22:14:13 GMT

     [ https://issues.apache.org/jira/browse/AMQNET-415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jim Gomes resolved AMQNET-415.
------------------------------

    Resolution: Fixed
    
> Client with wrong credentials overloads server when using failover
> ------------------------------------------------------------------
>
>                 Key: AMQNET-415
>                 URL: https://issues.apache.org/jira/browse/AMQNET-415
>             Project: ActiveMQ .Net
>          Issue Type: Bug
>          Components: ActiveMQ, NMS
>    Affects Versions: 1.5.6
>         Environment: ActiveMQ Broker 5.6.0
>            Reporter: Jim Gomes
>            Assignee: Jim Gomes
>            Priority: Minor
>              Labels: authentication, failover
>             Fix For: 1.5.7
>
>
> If the ActiveMQ broker has been secured to enforce login credentials, the NMS client
will continually attempt to authenticate against it if it is using the failover protocol.
> Steps to Reproduce:
> ----------------------
> 1. Configure the broker to require login credentials for connections.
> 2. Configure the NMS client to use failover mode.
> 3. Configure the NMS client with incorrect login credentials.
> 4. Attempt to connect the NMS client to the server.
> Results:
> ----------------------
> The client reattempts login continuously without backing off, and has a significant impact
on the performance of the server.
> Expected:
> ----------------------
> The client should not enter failover, because it never successfully connected, and it
would never expect to connect.
> Notes:
> ----------------------
> This was experienced using the OpenWire client, but a similar bug may exist in the STOMP
client's failover code.
> The broker may also want to protect itself against this, as this is an easy attack vector
for a DDoS.  Just a couple of clients attempting to login with invalid credentials can dramatically
impact the server's performance, not just the broker.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message