incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edward Capriolo <edlinuxg...@gmail.com>
Subject Re: Denial of Service Issue
Date Fri, 11 Oct 2013 19:57:14 GMT
While you normally would not allow access to a MySQL server, it is done in
many instances like shared hosting.
Also mysql does support a max fail connection attempts feature that will
blacklist an IP for a time.


On Fri, Oct 11, 2013 at 3:37 PM, Richard Low <richard@wentnet.com> wrote:

> On 11 October 2013 14:03, <Thorsten.Sinn@t-systems.com> wrote:
>
>>  I found the issue below concerning inactive client connections (see *Cassandra
>> Security*<http://jkb.netii.net/index.php/pub/sinosqldb/cassandra-security>).
>> We are using Cassandra 1.2.4 and the Cassandra JDBC driver as client. Is
>> this still an existing issue?
>> Quoted from site above:
>> Denial of Service problem:
>> Cassandra uses a Thread- Per-Client model in its network code. Since
>> setting up a connection requires the Cassandra server to start a new thread
>> on each connection (in addition to the TCP overhead incurred by the
>> network), the Cassandra project recommends utilizing some sort of
>> connection pooling. An attacker can prevent the Cassandra server from
>> accepting new client connections by causing the Cassandra server to
>> allocate all its resources to fake connection attempts. The only pieces of
>> information required by an attacker are the IP addresses of the cluster
>> members, and this information can be obtained by passively sniffing the
>> network. The current implementation doesn’t timeout inactive connections,
>> so any connection that is opened without actually passing data consumes a
>> thread and a file-descriptor that are never released.
>>
>
>  This is still an issue, but you must not expose Cassandra to untrusted
> users.  Just like you wouldn't let untrusted users have network access to
> your Oracle, MySQL, etc. servers.
>
> Richard.
>
>>
>

Mime
View raw message