Quickest way to kill a connection

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Quickest way to kill a connection

Alan Williamson
Its me again!

I am getting on great guns you'll be pleased to know.

Just a quick one today ... as per the subject, what is the quickest way
to kill off a client.

I have tried:

res.reset();
res.finish();

I have also tried throwing an exception.

I want to kill off the connection completely; waste no more bandwidth on
the person.   As you can understand this is part of the spam prevention,
the very reason, i am using grizzly in the first place.

I read in the HTTP header, and once i have that, i can make a decision
as to whether or not we service them.  If we don't, we sandbox them for
a while and prevent them from connecting.

In the "servlet" days, we would simply close the outputstream.

Please advise.

thanks

a

--
Alan Williamson
  "a wiki -and- a blog" @ http://www.Blog-City.com/

  b: http://alan.blog-city.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Jeanfrancois Arcand-2


Alan Williamson wrote:
> Its me again!
>
> I am getting on great guns you'll be pleased to know.

:-) :-)

>
> Just a quick one today ... as per the subject, what is the quickest way
> to kill off a client.
>
> I have tried:
>
> res.reset();
> res.finish();
>
> I have also tried throwing an exception.
>
> I want to kill off the connection completely; waste no more bandwidth on
> the person.   As you can understand this is part of the spam prevention,
> the very reason, i am using grizzly in the first place.

Have you implemented a ReadFilter to throttle requests? Because inside
that class, you might just set:

ctx.getSelectorHandler().getSelectionKeyHandler().cancel(ctx.getSelectionKey());

If you are inside Adapter, try to do

res.addHeader("Connection:","close");

or

res.setStatus(408); //Or 404

Let me know if that doesn't work.

Thanks

-- Jeanfrancois



>
> I read in the HTTP header, and once i have that, i can make a decision
> as to whether or not we service them.  If we don't, we sandbox them for
> a while and prevent them from connecting.
>
> In the "servlet" days, we would simply close the outputstream.



>
> Please advise.
>
> thanks
>
> a
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Alan Williamson
> Have you implemented a ReadFilter to throttle requests? Because inside
> that class, you might just set:
>
> ctx.getSelectorHandler().getSelectionKeyHandler().cancel(ctx.getSelectionKey());

i am about to implement that beast now!


> If you are inside Adapter, try to do
>
> res.addHeader("Connection:","close");
> res.setStatus(408); //Or 404

This worked thanks.  Although it still sent back data to the client;
albiet just the header.  No way to short cut that?   just close the
connection?

Speaking of closing connections:

    ByteBufferInputStream.setDefaultReadTimeout( 5000 );

This doesn't work as i would hope it to.  Try the following.

telnet to your grizzly server.  Then, once a second, fire off a single
character, with CRLR.  You will be able to do this until you are bored!

now try that to an Apache server, or even Google server.  You will
notice it kicks you out instantly because the first line of the HTTP
request is invalid.

So this is a major DoS attack potential on a Grizzly server.  Its
usually the simple attacks that can really bring down a good server! :(

What can we do to prevent this?

thanks


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Jeanfrancois Arcand-2


Alan Williamson wrote:

>> Have you implemented a ReadFilter to throttle requests? Because inside
>> that class, you might just set:
>>
>> ctx.getSelectorHandler().getSelectionKeyHandler().cancel(ctx.getSelectionKey());
>
>
> i am about to implement that beast now!
>
>
>> If you are inside Adapter, try to do
>>
>> res.addHeader("Connection:","close");
>> res.setStatus(408); //Or 404
>
> This worked thanks.  Although it still sent back data to the client;
> albiet just the header.  No way to short cut that?   just close the
> connection?

You gonna need to do it at the NIO level (inside the ProtocolFilter).
Unfortunately I've never needed to do it at the Adapter level...

>
> Speaking of closing connections:
>
>    ByteBufferInputStream.setDefaultReadTimeout( 5000 );
>
> This doesn't work as i would hope it to.  Try the following.
>
> telnet to your grizzly server.  Then, once a second, fire off a single
> character, with CRLR.  You will be able to do this until you are bored!

Hum then it's a bug. Stay tuned for the fix.

I suspect the connection will be dropped after 250 requests (the
st.setMaxKeepAliveRequests(...)....

>
> now try that to an Apache server, or even Google server.  You will
> notice it kicks you out instantly because the first line of the HTTP
> request is invalid.

That is what is supposed to do actually.

>
> So this is a major DoS attack potential on a Grizzly server.  Its
> usually the simple attacks that can really bring down a good server! :(
>
> What can we do to prevent this?
>

Fix the issue :-) Stay tuned!

-- Jeanfrancois

> thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Jeanfrancois Arcand-2
Salut,

OK I've fixed the isssue. Mainly, the time was always multiplied by 2 (I
know I did that because of a jdk 1.4 issue, but don't recall why exactly
  ;-)). Anyway I've removed the * 2 and now setting the timeout to 1
produce:

> [ja120114@localhost grizzly]$ telnet localhost 8080
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> a
> a
> Connection closed by foreign host.

Let me know if that still doesn't work. The new binary have been
uploaded as well.

Thanks!

-- Jeanfrancois

Jeanfrancois Arcand wrote:

>
>
> Alan Williamson wrote:
>>> Have you implemented a ReadFilter to throttle requests? Because
>>> inside that class, you might just set:
>>>
>>> ctx.getSelectorHandler().getSelectionKeyHandler().cancel(ctx.getSelectionKey());
>>
>>
>>
>> i am about to implement that beast now!
>>
>>
>>> If you are inside Adapter, try to do
>>>
>>> res.addHeader("Connection:","close");
>>> res.setStatus(408); //Or 404
>>
>> This worked thanks.  Although it still sent back data to the client;
>> albiet just the header.  No way to short cut that?   just close the
>> connection?
>
> You gonna need to do it at the NIO level (inside the ProtocolFilter).
> Unfortunately I've never needed to do it at the Adapter level...
>
>>
>> Speaking of closing connections:
>>
>>    ByteBufferInputStream.setDefaultReadTimeout( 5000 );
>>
>> This doesn't work as i would hope it to.  Try the following.
>>
>> telnet to your grizzly server.  Then, once a second, fire off a single
>> character, with CRLR.  You will be able to do this until you are bored!
>
> Hum then it's a bug. Stay tuned for the fix.
>
> I suspect the connection will be dropped after 250 requests (the
> st.setMaxKeepAliveRequests(...)....
>
>>
>> now try that to an Apache server, or even Google server.  You will
>> notice it kicks you out instantly because the first line of the HTTP
>> request is invalid.
>
> That is what is supposed to do actually.
>
>>
>> So this is a major DoS attack potential on a Grizzly server.  Its
>> usually the simple attacks that can really bring down a good server! :(
>>
>> What can we do to prevent this?
>>
>
> Fix the issue :-) Stay tuned!
>
> -- Jeanfrancois
>
>> thanks
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Alan Williamson
thanks Jeanfrancois,  you just caught me as i am about to head off to
bed [am out of Scotland]; so i will get to this first thing in the morning.

appreciate the efforts.

Jeanfrancois Arcand wrote:

> Salut,
>
> OK I've fixed the isssue. Mainly, the time was always multiplied by 2 (I
> know I did that because of a jdk 1.4 issue, but don't recall why exactly
>  ;-)). Anyway I've removed the * 2 and now setting the timeout to 1
> produce:
>
>> [ja120114@localhost grizzly]$ telnet localhost 8080
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> a
>> a
>> Connection closed by foreign host.
>
> Let me know if that still doesn't work. The new binary have been
> uploaded as well.
>
> Thanks!

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Alan Williamson
In reply to this post by Jeanfrancois Arcand-2
Jeanfrancois Arcand wrote:

> Salut,
>
> OK I've fixed the isssue. Mainly, the time was always multiplied by 2 (I
> know I did that because of a jdk 1.4 issue, but don't recall why exactly
>  ;-)). Anyway I've removed the * 2 and now setting the timeout to 1
> produce:
>
>> [ja120114@localhost grizzly]$ telnet localhost 8080
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> a
>> a
>> Connection closed by foreign host.
>
> Let me know if that still doesn't work. The new binary have been
> uploaded as well.

Morning.

Tried the new JAR from:
   http://download.java.net/maven/2/com/sun/grizzly/http/1.6-SNAPSHOT/

and if it only seems to work if i set the following:

    ByteBufferInputStream.setDefaultReadTimeout( 5 );

but you indicated to me earlier that this is milliseconds and not
seconds.  So am not sure what is going on.

    ByteBufferInputStream.setDefaultReadTimeout( 5000 );

if i set this, then i can push characters to telnet quite happily.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Jeanfrancois Arcand-2


Alan Williamson wrote:

> Jeanfrancois Arcand wrote:
>> Salut,
>>
>> OK I've fixed the isssue. Mainly, the time was always multiplied by 2
>> (I know I did that because of a jdk 1.4 issue, but don't recall why
>> exactly  ;-)). Anyway I've removed the * 2 and now setting the timeout
>> to 1 produce:
>>
>>> [ja120114@localhost grizzly]$ telnet localhost 8080
>>> Trying 127.0.0.1...
>>> Connected to localhost.
>>> Escape character is '^]'.
>>> a
>>> a
>>> Connection closed by foreign host.
>>
>> Let me know if that still doesn't work. The new binary have been
>> uploaded as well.
>
> Morning.
>
> Tried the new JAR from:
>   http://download.java.net/maven/2/com/sun/grizzly/http/1.6-SNAPSHOT/
>
> and if it only seems to work if i set the following:
>
>    ByteBufferInputStream.setDefaultReadTimeout( 5 );
>
> but you indicated to me earlier that this is milliseconds and not
> seconds.  So am not sure what is going on.
>
>    ByteBufferInputStream.setDefaultReadTimeout( 5000 );
>
> if i set this, then i can push characters to telnet quite happily.

Just to make sure I get it correctly, can you tell me what you are doing
exactly? Is the bytes a well formed request or just junk? Setting it to
5 is quite low and will break normal request processing under load in
case the OS buffers are full.

Thanks!

-- Jeanfrancois



>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Alan Williamson
> Just to make sure I get it correctly, can you tell me what you are doing
> exactly? Is the bytes a well formed request or just junk? Setting it to
> 5 is quite low and will break normal request processing under load in
> case the OS buffers are full.

i am sending it junk.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Quickest way to kill a connection

Jeanfrancois Arcand-2


Alan Williamson wrote:
>> Just to make sure I get it correctly, can you tell me what you are
>> doing exactly? Is the bytes a well formed request or just junk?
>> Setting it to 5 is quite low and will break normal request processing
>> under load in case the OS buffers are full.
>
> i am sending it junk.

OK can you try the following. Download the following jars:

http://weblogs.java.net/blog/jfarcand/archive/DosTest.zip

This is the Grizzly WebServer. I've set the default timeout to 5000. I
start the server with:

java -jar http-1.6-SNAPSHOT.jar 8080 /var/www/

Then I'm doing:


> [ja120114@localhost grizzly]$ telnet localhost 8080
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> aaaa
> aaaa

The 5000 seems to work. Could it be an issue with your implementation?

Thanks

-- Jeanfrancois


>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

DoS prevention [was Re: Quickest way to kill a connection]

Alan Williamson
> OK can you try the following. Download the following jars:
>
> http://weblogs.java.net/blog/jfarcand/archive/DosTest.zip
>
> This is the Grizzly WebServer. I've set the default timeout to 5000. I
> start the server with:
>
> java -jar http-1.6-SNAPSHOT.jar 8080 /var/www/
>
> Then I'm doing:
>
>
>> [ja120114@localhost grizzly]$ telnet localhost 8080
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> aaaa
>> aaaa
>
> The 5000 seems to work. Could it be an issue with your implementation?

Thanks ... okay we are getting close.

This particular example does work.  HOWEVR ... i can open up a
connection and send NOTHING to it, and it sits there for ages.  Well
past the 5second mark.  It's as soon as i send the first character does
the timer actually kick in.

make sense?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: DoS prevention [was Re: Quickest way to kill a connection]

Jeanfrancois Arcand-2


Alan Williamson wrote:

>> OK can you try the following. Download the following jars:
>>
>> http://weblogs.java.net/blog/jfarcand/archive/DosTest.zip
>>
>> This is the Grizzly WebServer. I've set the default timeout to 5000. I
>> start the server with:
>>
>> java -jar http-1.6-SNAPSHOT.jar 8080 /var/www/
>>
>> Then I'm doing:
>>
>>
>>> [ja120114@localhost grizzly]$ telnet localhost 8080
>>> Trying 127.0.0.1...
>>> Connected to localhost.
>>> Escape character is '^]'.
>>> aaaa
>>> aaaa
>>
>> The 5000 seems to work. Could it be an issue with your implementation?
>
> Thanks ... okay we are getting close.

OK that one works :-)

>
> This particular example does work.  HOWEVR ... i can open up a
> connection and send NOTHING to it, and it sits there for ages.  Well
> past the 5second mark.  

Hum..here is what I've tested. I've wrote:

> #!/bin/sh
> t1=`date +%s`
> telnet localhost 8080
> t2=`date +%s`
> echo Connection closed after: `expr $t2 - $t1` seconds

and got:

> [ja120114@localhost container]$ ./timedTelnet.sh
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Connection closed by foreign host.
> Connection closed after: 31 seconds

which is what I was expecting as the default keepAliveInSeconds is 30.

If you execute the same script, is it closing on time?
Are you invoking in your main:

st.setMaxKeepAliveInSeconds(30); //Default is 30 when not set.

Thanks

-- Jeanfrancois



It's as soon as i send the first character does
> the timer actually kick in.
>
> make sense?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]