Return-Path: Delivered-To: apmail-jakarta-avalon-dev-archive@apache.org Received: (qmail 46410 invoked from network); 30 Apr 2002 05:27:53 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 30 Apr 2002 05:27:53 -0000 Received: (qmail 22028 invoked by uid 97); 30 Apr 2002 05:28:02 -0000 Delivered-To: qmlist-jakarta-archive-avalon-dev@jakarta.apache.org Received: (qmail 22006 invoked by uid 97); 30 Apr 2002 05:28:01 -0000 Mailing-List: contact avalon-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Avalon Developers List" Reply-To: "Avalon Developers List" Delivered-To: mailing list avalon-dev@jakarta.apache.org Received: (qmail 21995 invoked from network); 30 Apr 2002 05:28:01 -0000 Message-ID: <3CCE2B5F.8020305@lokitech.com> Date: Tue, 30 Apr 2002 01:27:59 -0400 From: Serge Knystautas User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311 X-Accept-Language: en-us, en MIME-Version: 1.0 To: avalon-dev@jakarta.apache.org Subject: [Fwd: Re: James stops responding after many TCP connections to SMTP service - DOS attack possible?] Content-Type: multipart/mixed; boundary="------------080205050303010105060609" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N --------------080205050303010105060609 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Someone on the james user list reported this problem, and I wasn't sure if it's been patched... they're running against the james 2.0a2 release, which means they're using mid-Nov 2001 snapshots from Avalon if that helps. Otherwise just thought I should share this user's notes. -- Serge Knystautas Loki Technologies - Unstoppable Websites http://www.lokitech.com/ --------------080205050303010105060609 Content-Type: message/rfc822; name="Re: James stops responding after many TCP connections to SMTP service - DOSattack possible?" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Re: James stops responding after many TCP connections to SMTP service - DOSattack possible?" Return-Path: Received: from beethoven.lokitech.com ([216.7.13.68]) by liszt.lokitech.com (Netscape Messaging Server 3.62) with SMTP id 263 for ; Sun, 28 Apr 2002 15:18:45 -0400 Return-Path: Received: from 192.18.49.131 ([192.18.49.131]) by mail.lokitech.com (JAMES SMTP Server 2.0a3-cvs) with SMTP ID 70 for ; Sun, 28 Apr 2002 15:15:34 -0400 Received: (qmail 6767 invoked by uid 97); 28 Apr 2002 19:18:50 -0000 Mailing-List: contact james-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "James Users List" Reply-To: "James Users List" Delivered-To: mailing list james-user@jakarta.apache.org Received: (qmail 6756 invoked from network); 28 Apr 2002 19:18:49 -0000 Message-ID: <3CCC4B02.62AE004B@mindspring.com> Date: Sun, 28 Apr 2002 12:18:26 -0700 From: Brad Wallace X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: James Users List Subject: Re: James stops responding after many TCP connections to SMTP service - DOS attack possible? References: <3CC5F023.33C09BE4@mindspring.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Just a follow-up - I've determined that it takes approximately 1500-1700 tcp connections, one every 5 seconds, to cause this OutOfMemoryError. Without these connections, my James installation is stable for days. It still looks like an easy way to take out a james server - in my case this happens in about 2.2 hours, but I expect that the same effect could be created by sending the connections faster. I'm going to have to try going back to James 1.2.1 to see if I can get around this b/c it's useless in my environment with this kind of bug. -Brad Brad Wallace wrote: > > Hi All - I'm running James in a load balanced environment (required by > our policies... ;-) One side effect of this is that the load balancers > establish repeated TCP connections to the SMTP service and then break > them (TCP RST or FIN I expect). They do this to verify that the service > is listening and accepting inbound connections. Right now I'm running > in debug mode, so these connections are being logged - I've included > samples below. > > Here's the problem - after james has been running for some period of > time less than 1 week, I get the following on stdout: > > Logging Error: Unknown error writing event. > java.lang.OutOfMemoryError > <> > > and then james stops responding. So far I've had to restart james each > time to get this fixed. I'll admit that the frequent TCP connection > setups and breakdowns are a quirk of this type of environment, but it > concerns me also b/c this seems like an easy DOS (Denial of Service) > attack on a james server - simply establish and break TCP connections > every 5 seconds or so for a while and it will hang until someone > restarts it - it's not yet clear exactly how long you have to repeat > these TCP connections for, but it's somewhere in the hours - days range, > but not weeks. And every 5 seconds probably isn't frequent enough to > trigger most firewall's DOS filters, so this is pretty likely to get > through. > > I'm running: > > James 2.0a2 with just the SMTP listener (no pop3, nntp, remote admin, > etc) > java-1.3.1_02 > Solaris 7 > > Thanks much for any input. > > -Brad > > Logs Excerpts: > > smtpserver.log: > > Tue Apr 23 22:02:58 GMT 2002 [INFO ] (smtpserver): Hello Name is: > > Tue Apr 23 22:02:58 GMT 2002 [DEBUG ] (smtpserver): Max message size > is: 0 > Tue Apr 23 22:02:58 GMT 2002 [INFO ] (smtpserver): Connection from > () > Tue Apr 23 22:02:58 GMT 2002 [DEBUG ] (smtpserver): Socket to balancer IP> closed remotely. > java.net.SocketException: Connection reset by peer: Connection reset by > peer > at java.net.SocketInputStream.socketRead(Native Method) > at java.net.SocketInputStream.read(SocketInputStream.java:90) > at > java.io.BufferedInputStream.fill(BufferedInputStream.java:186) > at > java.io.BufferedInputStream.read(BufferedInputStream.java:204) > at java.io.DataInputStream.readLine(DataInputStream.java:449) > at > org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.java:163) > at > org.apache.avalon.cornerstone.blocks.connection.ConnectionRunner.run(Connection.java:163) > Tue Apr 23 22:02:58 GMT 2002 [ERROR ] (smtpserver): Connection timeout > on socket > > connections.log: > > Tue Apr 23 22:11:34 GMT 2002 [DEBUG ] (connections): Starting > connection on Socket[addr=/ IP>,port=,localport=] > Tue Apr 23 22:11:34 GMT 2002 [DEBUG ] (connections): Ending connection > on Socket[addr=/,port= port>,localport=] > Tue Apr 23 22:11:36 GMT 2002 [ERROR ] (connections): Exception > accepting connection > java.net.SocketException: Software caused connection abort > at java.net.PlainSocketImpl.socketAccept(Native Method) > at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:468) > at java.net.ServerSocket.implAccept(ServerSocket.java:243) > at java.net.ServerSocket.accept(ServerSocket.java:222) > at > org.apache.avalon.cornerstone.blocks.connection.Connection.run(Connection.java:93) > at > org.apache.avalon.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRunnable.java:47) > at > org.apache.avalon.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:80) > Tue Apr 23 22:11:38 GMT 2002 [DEBUG ] (connections): Starting > connection on Socket[addr=/ IP>,port=,localport=] > Tue Apr 23 22:11:38 GMT 2002 [DEBUG ] (connections): Ending connection > on Socket[addr=/,port= port>,localport=] > Tue Apr 23 22:11:40 GMT 2002 [ERROR ] (connections): Exception > accepting connection > > -- > To unsubscribe, e-mail: > For additional commands, e-mail: -- To unsubscribe, e-mail: For additional commands, e-mail: --------------080205050303010105060609 Content-Type: text/plain; charset=us-ascii -- To unsubscribe, e-mail: For additional commands, e-mail: --------------080205050303010105060609--