Hi Zookeeper expert, we encountered a slow attack problem, described as follows, please help to analyze and confirm, thank you very much.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Hi Zookeeper expert, we encountered a slow attack problem, described as follows, please help to analyze and confirm, thank you very much.

zhanggang

 

Hi Zookeeper expert, we encountered a slow attack problem, described as follows, please help to analyze and confirm, thank you very much.

 

Problem:

In the client using some method (such as telnet) to establish a tcp connection with server-side zookeeper listening port , but after the establishment of tcp connection, the client does not send any data. However, apache will not disconnect this tcp connection, may lead to the number of connections exhausted , Resulting in DOS

 

The attack process

1. The client executes the telnet service port

Start the client telnet server port 21816,53236,50548, do not exit for a long time:

Excuting an order:

telnet 3.101.3.119 21816

telnet 3.101.3.118 53236

telnet 3.101.3.124 50548

 

Reply | Threaded
Open this post in threaded view
|

Re: Hi Zookeeper expert, we encountered a slow attack problem, described as follows, please help to analyze and confirm, thank you very much.

Patrick Hunt
Hi zhanggang, thank you for the report. Unfortunately the attachment did
not come through (probably stripped by the ML daemon).

Iiuc this does sound like a problem that would be good to address. We have
code in place to limit the number of concurrent sessions that a particular
IP can hold open at any one time - specifically to address the type of
issue you describe. However I believe it only addresses session count, not
tcp connections. This would be a good one to fix - please create a jira and
if possible submit a patch.

Thanks!

Patrick

On Tue, Nov 21, 2017 at 7:09 AM, zhanggang <[hidden email]> wrote:

>
>
> Hi Zookeeper expert, we encountered a slow attack problem, described as
> follows, please help to analyze and confirm, thank you very much.
>
>
>
> *Problem:*
>
> In the client using some method (such as telnet) to establish a tcp
> connection with server-side zookeeper listening port , but after the
> establishment of tcp connection, the client does not send any data.
> However, apache will not disconnect this tcp connection, may lead to the
> number of connections exhausted , Resulting in DOS
>
>
>
> *The attack process**:*
>
> 1. The client executes the telnet service port
>
> Start the client telnet server port 21816,53236,50548, do not exit for a
> long time:
>
> Excuting an order:
>
> telnet 3.101.3.119 21816
>
> telnet 3.101.3.118 53236
>
> telnet 3.101.3.124 50548
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Hi Zookeeper expert, we encountered a slow attack problem, described as follows, please help to analyze and confirm, thank you very much.

Patrick Hunt
PS. If this is an issue for you at the moment you might apply an iptables
based filter to address this until a proper patch can be applied. For
example something like

iptables -A INPUT -p tcp --syn --dport 2181 -m connlimit --connlimit-above
3 -j REJECT

will limit the number of connections from a particular IP address (2181
being the default ZK client port, YMMV)

Regards,

Patrick


On Mon, Nov 27, 2017 at 12:10 PM, Patrick Hunt <[hidden email]> wrote:

> Hi zhanggang, thank you for the report. Unfortunately the attachment did
> not come through (probably stripped by the ML daemon).
>
> Iiuc this does sound like a problem that would be good to address. We have
> code in place to limit the number of concurrent sessions that a particular
> IP can hold open at any one time - specifically to address the type of
> issue you describe. However I believe it only addresses session count, not
> tcp connections. This would be a good one to fix - please create a jira and
> if possible submit a patch.
>
> Thanks!
>
> Patrick
>
> On Tue, Nov 21, 2017 at 7:09 AM, zhanggang <[hidden email]> wrote:
>
>>
>>
>> Hi Zookeeper expert, we encountered a slow attack problem, described as
>> follows, please help to analyze and confirm, thank you very much.
>>
>>
>>
>> *Problem:*
>>
>> In the client using some method (such as telnet) to establish a tcp
>> connection with server-side zookeeper listening port , but after the
>> establishment of tcp connection, the client does not send any data.
>> However, apache will not disconnect this tcp connection, may lead to the
>> number of connections exhausted , Resulting in DOS
>>
>>
>>
>> *The attack process**:*
>>
>> 1. The client executes the telnet service port
>>
>> Start the client telnet server port 21816,53236,50548, do not exit for a
>> long time:
>>
>> Excuting an order:
>>
>> telnet 3.101.3.119 21816
>>
>> telnet 3.101.3.118 53236
>>
>> telnet 3.101.3.124 50548
>>
>>
>>
>
>