Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DDoS Spring 5 RouterFunction apps [SPR-15560] #20119

Closed
spring-projects-issues opened this issue May 18, 2017 · 3 comments
Closed

DDoS Spring 5 RouterFunction apps [SPR-15560] #20119

spring-projects-issues opened this issue May 18, 2017 · 3 comments
Assignees
Labels
in: web type: bug
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented May 18, 2017

Maksim Kostromin opened SPR-15560 and commented

to reproduce bug, run this service

in a console send curl request:
curl localhost:3000//

or use httpie:
http :3000//

terminal should hangs and fails after timeout
http: error: Request timed out (30s).

I didn't investigate if connections will be opened while all such requests will waiting for theirs timeouts. If so, attackers can easily DDoS these kind of spring 5 apps by sending 65k requests for 30 seconds

posible fix
previous discussion
parent issue


Affects: 5.0 RC1

Reference URL: https://github.com/daggerok/functional-spring/blob/master/reactive-service/src/main/java/daggerok/ReactiveServiceApplication.java

Issue Links:

  • #21318 WebFlux handles requests with an illegal Host header inconsistently
  • #20088 Replace many following slashes of client URI with single slash. ("supersedes")

Referenced from: commits 11075f1

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented May 19, 2017

Rossen Stoyanchev commented

Much appreciated, thanks!

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented May 20, 2017

Rossen Stoyanchev commented

Turns out java.net.URI does not mind multiple slashes after all and I misread the spec where "segment" is defined as any number of chars. So http://localhost:3000// is okay but it fails on Netty because we parse the path ("//") independently as a URI and it's rejected because it looks like invalid schema. By contrast http://localhost:3000/foo// works fine.

In addition Reactor Netty does not handle error signals as 500 errors well and hangs instead. I've created a ticket for that but meanwhile also improved the way the URI is parsed so we don't run into this issue and also tightened UriSyntaxException handling so it would be treated as a 400 error if it did occur.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented May 23, 2017

Maksim Kostromin commented

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web type: bug
Projects
None yet
Development

No branches or pull requests

2 participants