cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@codeconsult.ch>
Subject Re: [RT] FOM (session/continuation DOS attacks)
Date Wed, 28 May 2003 05:56:34 GMT
Le Mardi, 27 mai 2003, à 18:33 Europe/Zurich, Stefano Mazzocchi a écrit 
:

> on 5/27/03 2:33 AM Bertrand Delacretaz wrote:
>> ...I like that, but isn't there a possible attack where a client 
>> makes a
>> lot of requests without cookies/session IDs, and overflows the poor
>> server who's creating millions of Sessions without asking anything
>> first?
>
> the same could be said for continuations or for any other
> client-initiated server-side memory occupation....

Yes, I think the only safe way of avoiding such DOS attacks is to 
create sessions/continuations only *after* a successful login is 
received from the client.

Which means that, to be safe, login will have to be handled outside of 
Flow.
It's not a concern of the FOM then, goes back to the application design 
level.

> ...No. if you use a while(true) {} loop with sendPageAndWait() in the
> middle, you are creating a continuation for every failed login action.
> This is a potential DoS attack but it could be super-easy to avoid
> looping from more than n times from the same IP address....

Not so easy I think, you might be getting many requests from the same 
IP if clients are using NAT, it is fairly hard to select "n" and the 
max.rate of session/continuation creation that you accept. But that's 
off-topic here.

-Bertrand

Mime
View raw message