incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Thorsten.S...@t-systems.com>
Subject Denial of Service Issue
Date Fri, 11 Oct 2013 13:03:29 GMT
I found the issue below concerning inactive client connections (see Cassandra Security<http://jkb.netii.net/index.php/pub/sinosqldb/cassandra-security>).
We are using Cassandra 1.2.4 and the Cassandra JDBC driver as client. Is this still an existing
issue?
Quoted from site above:
Denial of Service problem:
Cassandra uses a Thread- Per-Client model in its network code. Since setting up a connection
requires the Cassandra server to start a new thread on each connection (in addition to the
TCP overhead incurred by the network), the Cassandra project recommends utilizing some sort
of connection pooling. An attacker can prevent the Cassandra server from accepting new client
connections by causing the Cassandra server to allocate all its resources to fake connection
attempts. The only pieces of information required by an attacker are the IP addresses of the
cluster members, and this information can be obtained by passively sniffing the network. The
current implementation doesn't timeout inactive connections, so any connection that is opened
without actually passing data consumes a thread and a file-descriptor that are never released.



Mime
View raw message