[standards-jig] JEP-0060 PubSub: Denial of Service weakness in error handling...
bob at wyman.us
Sun Feb 16 02:33:30 UTC 2003
While "success" messages in JEP-0060 are often very short and
succinct it appears
that when errors occur, the server must copy much of the message held to
be in error and return it as part of the error message. This makes DOS
attacks relatively easy to launch.
My concern is that this requires the server to consume hardware
(memory) and bandwidth resources in such a way that DOS attackers might
be able to exploit this aspect of the protocol.
If I wanted to attack a PubSub server, I might "publish" a
message that contained a megabyte or more of payload. If the server is
attached to the network with some slow link -- like a T1, a large
message could consume several seconds of useful bandwidth before the
entire message arrives at the server. The server would then need to
buffer then entire message in memory (could exhaust available memory)
and then spend another several precious seconds of bandwidth in
returning a message to me telling me that I'm not authorized to publish.
Given the costs involved here, I could effectively cripple a PubSub
server by using only one or a small number of workstations.
Personally, I believe that error messages should be as short as
possible and should be things that can be sent before an entire message
is received. The PubSub server should be able to determine, after
reading only a few bytes of a message, whether or not the message is
authorized and immediately return an error message while trashing any
content that subsequently arrives as part of the erroneous message. The
server should not be forced to buffer or retransmit erroneous data.
More information about the Standards