zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: Hi Zookeeper expert, we encountered a slow attack problem, described as follows, please help to analyze and confirm, thank you very much.
Date Mon, 27 Nov 2017 20:30:46 GMT
PS. If this is an issue for you at the moment you might apply an iptables
based filter to address this until a proper patch can be applied. For
example something like

iptables -A INPUT -p tcp --syn --dport 2181 -m connlimit --connlimit-above
3 -j REJECT

will limit the number of connections from a particular IP address (2181
being the default ZK client port, YMMV)

Regards,

Patrick


On Mon, Nov 27, 2017 at 12:10 PM, Patrick Hunt <phunt@apache.org> wrote:

> Hi zhanggang, thank you for the report. Unfortunately the attachment did
> not come through (probably stripped by the ML daemon).
>
> Iiuc this does sound like a problem that would be good to address. We have
> code in place to limit the number of concurrent sessions that a particular
> IP can hold open at any one time - specifically to address the type of
> issue you describe. However I believe it only addresses session count, not
> tcp connections. This would be a good one to fix - please create a jira and
> if possible submit a patch.
>
> Thanks!
>
> Patrick
>
> On Tue, Nov 21, 2017 at 7:09 AM, zhanggang <zhanggang6@huawei.com> wrote:
>
>>
>>
>> Hi Zookeeper expert, we encountered a slow attack problem, described as
>> follows, please help to analyze and confirm, thank you very much.
>>
>>
>>
>> *Problem:*
>>
>> In the client using some method (such as telnet) to establish a tcp
>> connection with server-side zookeeper listening port , but after the
>> establishment of tcp connection, the client does not send any data.
>> However, apache will not disconnect this tcp connection, may lead to the
>> number of connections exhausted , Resulting in DOS
>>
>>
>>
>> *The attack process**:*
>>
>> 1. The client executes the telnet service port
>>
>> Start the client telnet server port 21816,53236,50548, do not exit for a
>> long time:
>>
>> Excuting an order:
>>
>> telnet 3.101.3.119 21816
>>
>> telnet 3.101.3.118 53236
>>
>> telnet 3.101.3.124 50548
>>
>>
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message