SSL DOS vulnarability #138
Comments
|
Thanks for the report. We always used a load balancer that did SSL so this code wasn't battle tested by us. Could you submit it as a pull request? |
|
It looks like a more general way to mitigate this issue may be to separate out transport_accept and ssl_accept into two phases, such that the acceptor is recycled after the first phase. Any sort of backoff in the emfile scenario should likely apply to any configuration, not really related to SSL specifically. |
etrepum
added a commit
that referenced
this issue
Jan 12, 2015
etrepum
added a commit
that referenced
this issue
Jan 12, 2015
mitigate SSL and emfile related conditions per #138
|
Thanks. Btw, this fix also prevents mochiweb to run out of acceptors when you have slow ssl clients connected to your server. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is easy to DOS a mochiweb server with by sending it 10 adapted ssl requests per second.
Mochiweb sleeps 100 ms if a request fails in the accept phase. This is very easy to do when setting up a ssl connection. It can timeout, can have record overflows and what not.
The
timer:sleep(100)is there to lower the accept rate when the server is out of fds, but it should not be used for other errors.I have patched zotonic's branch of mochiweb like this:
zotonic/mochiweb@2afa95c
The text was updated successfully, but these errors were encountered: