Re: Denial Of Service attacks with gigabytes of form data?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Denial Of Service attacks with gigabytes of form data?

Paul Sandoz
Administrator
Harald Kirsch wrote:
> Hello,
>
> using jersey for the first time in an experimental application, I
> stumbled over a potential denial of service (DOS) attack against @POST
> resources. What happens if a user sends gigabytes of data? It seems that
> the body is parsed completely before my resource class or method would
> even see the data.

Correct if not using a stream-based Java type.


> By that time an OutOfMemory exception has certainly
> happened already.
>
> Is there a parameter somewhere to limit the size of message bodies taken
> into account?
>

This sounds like an appropriate case for using a filter (servlet or
Jersey-based).

Paul.

--
| ? + ? = To question
----------------\
    Paul Sandoz
         x38109
+33-4-76188109

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Denial Of Service attacks with gigabytes of form data?

Travis R
This sounds like something that should be tackled fairly quickly.

Travis

On Tue, Jul 22, 2008 at 4:24 AM, Paul Sandoz <[hidden email]> wrote:
Harald Kirsch wrote:
Hello,

using jersey for the first time in an experimental application, I
stumbled over a potential denial of service (DOS) attack against @POST
resources. What happens if a user sends gigabytes of data? It seems that
the body is parsed completely before my resource class or method would
even see the data.

Correct if not using a stream-based Java type.



By that time an OutOfMemory exception has certainly
happened already.

Is there a parameter somewhere to limit the size of message bodies taken
into account?


This sounds like an appropriate case for using a filter (servlet or Jersey-based).

Paul.

--
| ? + ? = To question
----------------\
  Paul Sandoz
       x38109
+33-4-76188109


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Denial Of Service attacks with gigabytes of form data?

Harald Kirsch
In reply to this post by Paul Sandoz
Hi Paul,

thanks for the fast answer.

Am 22.07.2008 13:24 schrieb Paul Sandoz:

> Harald Kirsch wrote:
>> Hello,
>>
>> using jersey for the first time in an experimental application, I
>> stumbled over a potential denial of service (DOS) attack against @POST
>> resources. What happens if a user sends gigabytes of data? It seems that
>> the body is parsed completely before my resource class or method would
>> even see the data.
>
> Correct if not using a stream-based Java type.

Ok, that would do it at least for my application, since I am using
InputStream. But what I get is actually a ByteArrayInputStream and so I
am afraid the input was first completely read into memory.

Harald.

--
--------------+---------------------------------------------
Harald Kirsch | pifpafpuf bei gmx punkt de

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Denial Of Service attacks with gigabytes of form data?

Paul Sandoz
Administrator
Harald Kirsch wrote:
> Ok, that would do it at least for my application, since I am using
> InputStream. But what I get is actually a ByteArrayInputStream and so I
> am afraid the input was first completely read into memory.
>

Jersey does not attempt to buffer bytes when using an InputStream. It
passes the InputStream directly from the container (servlet or
otherwise). So i am not sure what is going on... can you share some code?

Paul.

--
| ? + ? = To question
----------------\
    Paul Sandoz
         x38109
+33-4-76188109

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Denial Of Service attacks with gigabytes of form data?

Paul Sandoz
Administrator
In reply to this post by Travis R
Travis Reeder wrote:
> This sounds like something that should be tackled fairly quickly.
>

I am wondering what other frameworks do here, anyone know? is things
something that is tacked by routers before the request hits the
application? or is this something that can also be configured by the app
server?

Paul.

> Travis
>
> On Tue, Jul 22, 2008 at 4:24 AM, Paul Sandoz <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Harald Kirsch wrote:
>
>         Hello,
>
>         using jersey for the first time in an experimental application, I
>         stumbled over a potential denial of service (DOS) attack against
>         @POST
>         resources. What happens if a user sends gigabytes of data? It
>         seems that
>         the body is parsed completely before my resource class or method
>         would
>         even see the data.
>
>
>     Correct if not using a stream-based Java type.
>
>
>
>         By that time an OutOfMemory exception has certainly
>         happened already.
>
>         Is there a parameter somewhere to limit the size of message
>         bodies taken
>         into account?
>
>
>     This sounds like an appropriate case for using a filter (servlet or
>     Jersey-based).
>
>     Paul.
>
>     --
>     | ? + ? = To question
>     ----------------\
>       Paul Sandoz
>            x38109
>     +33-4-76188109
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: [hidden email]
>     <mailto:[hidden email]>
>     For additional commands, e-mail: [hidden email]
>     <mailto:[hidden email]>
>
>

--
| ? + ? = To question
----------------\
    Paul Sandoz
         x38109
+33-4-76188109

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Denial Of Service attacks with gigabytes of form data?

Harald Kirsch
In reply to this post by Paul Sandoz


Am 23.07.2008 10:37 schrieb Paul Sandoz:
> Harald Kirsch wrote:
>> Ok, that would do it at least for my application, since I am using
>> InputStream. But what I get is actually a ByteArrayInputStream and so I
>> am afraid the input was first completely read into memory.
>>
>
> Jersey does not attempt to buffer bytes when using an InputStream. It
> passes the InputStream directly from the container (servlet or
> otherwise). So i am not sure what is going on... can you share some code?

This is pretty boring. I have a small standalone application and the
relevant bits of code are:

Start the standalone HttpServer:

import com.sun.net.httpserver.HttpServer;
...
    HttpServer server =
      HttpServerFactory.create("http://localhost:"+port+'/');
    server.start();

Get control some time later in this method:

public Response upload(@FormParam("upload") InputStream in) throws
IOException

Printing 'in' shows that it is a ByteArrayInputStream. So I guess you
are right and it is the fault of this HttpServer. Maybe I should check
with Tomcat then, for example.

Harald.

--
--------------+---------------------------------------------
Harald Kirsch | pifpafpuf bei gmx punkt de

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Denial Of Service attacks with gigabytes of form data?

Paul Sandoz
Administrator
Harald Kirsch wrote:

>
> Am 23.07.2008 10:37 schrieb Paul Sandoz:
>> Harald Kirsch wrote:
>>> Ok, that would do it at least for my application, since I am using
>>> InputStream. But what I get is actually a ByteArrayInputStream and so I
>>> am afraid the input was first completely read into memory.
>>>
>> Jersey does not attempt to buffer bytes when using an InputStream. It
>> passes the InputStream directly from the container (servlet or
>> otherwise). So i am not sure what is going on... can you share some code?
>
> This is pretty boring. I have a small standalone application and the
> relevant bits of code are:
>
> Start the standalone HttpServer:
>
> import com.sun.net.httpserver.HttpServer;
> ...
>     HttpServer server =
>       HttpServerFactory.create("http://localhost:"+port+'/');
>     server.start();
>
> Get control some time later in this method:
>
> public Response upload(@FormParam("upload") InputStream in) throws
> IOException
>
> Printing 'in' shows that it is a ByteArrayInputStream. So I guess you
> are right and it is the fault of this HttpServer. Maybe I should check
> with Tomcat then, for example.
>

Ah! the example was most helpful. In this case it is not the container.

You are using @FormParam i presume with "multipart/form-data". What
happens is that Jersey will use the JavaMail API to process the
information and extract out the body part with the content disposition
named "upload"

So the problem is in JavaMail (it buffers). Perhaps it is the the way
Jersye uses the JavaMail API. I hoped that the way i was using it would
ensure that buffering would not be performed. Drat :-( I may need to use
something other than JavaMail...

Could you log an issue on this?

Thanks,
Paul.

--
| ? + ? = To question
----------------\
    Paul Sandoz
         x38109
+33-4-76188109

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]