I haven't nailed down the minimal case, but I have encountered what appears
to be a possible AOLserver Denial of Service....
It appears that ns_returnfile will not timeout, but will hold a connection
open in perpetuity.
Here's what I observe:
1. OpenACS 3.2.5 has a module, SDM, that registers a proc to
handle downloads of various "releases" (most likely a tar file).
2. That proc will call ns_returnfile to return the file.
3. The proc will then go on to insert various entries into a db,
logging the download.
4. Tailing the server log, and using IE 5.5, I visited the SDM module
and instigate a download. Relatively immediately, IE 5.5 pops up
a dialog box titled "File Download" and asking me if I wish to
Open this file from its current location, or download it to disk.
5. I leave the room, pop open a coke, and flip channels looking for
an early John Wayne flick (for some reason they are rampant after
1:30am on the freebie (free as in commercial) cable channels.
6. It's at least ten minutes later, and no joy on the TV front.
I can't find an X-Files rerun, a Quantum Leap Rerun, or a
Buffy rerun. Xena is on, but it jumped the shark long ago.
What I wouldn't give to find a cable channel with Maverick on,
but I haven't found Maverick on in fifteen years. No, what we
do have is:
http://tv.yahoo.com/grid?lineup=us_CA60321&genres=0&dur=&starttime=1003057200&.intl=us
NIKP 53 Cheers TVG, CC Cheers TVG, CC Cheers TVG, CC Cheers TVG, CC Cheers
TVG, CC Cheers TVG, CC NIKP 53
Yes, Nik is showing 7 1/2 straight hours of Sam, Diane, and Woody.
I think I've seen this Twilight Zone that I am now taking part in.
Life sucks tonight. I return to the damned computer, click
[Cancel], and then observe the tailed server log initiate
the database inserts using what now appears to be a very old
connection number.
Is that ns_returnfile combined with my TV viewing holding that connection
resource? (I believe so.) Can this be used to force a DOS on an AOLserver?
Scenario: I have a tcl proc on my attacker AOLServer fork 200
threads. Each thread visits YOUR MACHINE, where it visits a URL on your
machine known to invoke ns_returnfile. The thread then does nothing: I
guess it opens the connection, but doesn't read any of the bytes. After
100 or so of these attempts, your AOLserver has no more connections to give
to legitimate requests. DOS.
Would this work? Have I missed something? (Well I did miss Blazing
Saddles, D'oh!)
Am I right to think that ns_returnfile should have a timeout?
Do you know where I can still find Bart, Beau, and Brett? (Apart from a
planet 42 lightyears away?)
Jerry
========================================================
Jerry Asher [EMAIL PROTECTED]
1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980
Berkeley, CA 94709 Fax: (877) 311-8688
