zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Han (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Wed, 15 Feb 2017 04:42:41 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867239#comment-15867239
] 

Michael Han commented on ZOOKEEPER-2693:
----------------------------------------

As for patch for branch-3.4, I am thinking instead of disabling a subset of commands, we could
just add a rate limiter. All commands will still be available to use (including the wchp/wchc
ones), but they are rate limited not to cause any damages. Disabling a sub set of commands
does not solve the root issue, and I imagine it might still be possible to do DOS on servers
acceptor threads by just utilizing white listed four letter words at massive scale on client
side. 

The configuration option of disabling 4lw or a subset of it seems an ultimate escape hatch
- I guess it does not hurt to provide both as option for users, but for branch-3.4 it looks
like rate limiter is a must have to address current and potential issues when the server client
port is accessible from public.

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message