ant-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ernest Pasour (JIRA)" <j...@apache.org>
Subject [jira] Commented: (IVY-854) Evil behavior form resolve latest.status: performs DOS attacks
Date Mon, 27 Jul 2009 12:38:17 GMT

    [ https://issues.apache.org/jira/browse/IVY-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12735587#action_12735587
] 

Ernest Pasour commented on IVY-854:
-----------------------------------

It appears that the problem we are experiencing right now is because of all the attempts to
read non-existent directories using the ApacheURLLister class.  When the connection attempts
(and fails) to get the input stream, it is apparently enough to create a connection, but the
connection is not cleaned up properly, even using the disconnect call.  The code below reproduces
the problem (on windows) if you put the proper data in the url definition.  You will get the
BindException after about 15 seconds.  If you do a "netstat" from the command line, you will
see lots of connections in the TIME_WAIT state.

I think Nascif's idea above makes sense to reduce the number of connections being made.  I
think it would also make sense to reduce the number of invalid URLs used.  I hacked together
some code to keep a hash of the shortest invalid urls and then not attempt to make connections
when subsequent urls show up with an invalid prefix.  This seems to work but I haven't really
validated it yet.  This idea could also be used in conjunction with Nascif's idea.

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.BindException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;
public class Test2 {
	public static void main(String[] args) throws IOException {
		for (int i=0;;i++)
		{
			URL url=new URL("http", "<your server>", 80, "<bad path on server>");     
      //shows problem
//			URL url=new URL("http", "<your server>", 80, "<existing path on server>");
    //works fine; does not leak connections
	        URLConnection conn=url.openConnection();
	        String htmlText = "";
	        try
	        {
	        	BufferedReader r = new BufferedReader(new InputStreamReader(conn.getInputStream()));
	        }
	        catch (BindException e)
	        {
	        	e.printStackTrace();
	        }
	        catch (IOException e)
	        {}
	        finally
	        {
	            if (conn instanceof HttpURLConnection)
	            {
	            	((HttpURLConnection)conn).disconnect();
	            }
	        }
		}		
	}
}


> Evil behavior form resolve latest.status: performs DOS attacks
> --------------------------------------------------------------
>
>                 Key: IVY-854
>                 URL: https://issues.apache.org/jira/browse/IVY-854
>             Project: Ivy
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.0.0-beta-2
>         Environment: windows xp sp2, linux fedora core 9, running Ivy repository through
http for remote resolving and Hudson CI server (publishing to the repo).
>            Reporter: Hans Lund
>            Assignee: Maarten Coene
>             Fix For: 2.0-RC1
>
>
> Ivy is extremely aggressive towards repositories . This can result in  
> resolving fails, even towards a healthy repository. 
> The symptom:
> [ivy:resolve] 01-07-2008 13:16:24
> org.apache.commons.httpclient.HttpMethodDirector executeWithRetry
> [ivy:resolve] INFO: I/O exception (java.net.BindException) caught when
> processing request: Address already in use: connect.
> In effect this happens when Ivy has performed a successfully DOS attack against the repository.

> This is especially a problem when having large repositories (lost of revisions) and resolve
against latest.status -> as this will fetch ivy.xml md5 and sha1 files for every revision.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message