Re: Review Request 74615: RANGER-4420: Fixing the "Slow HTTP Denial of Service (DoS) Attack" vulnerability for Ranger Admin.

newyyshan Wed, 20 Sep 2023 06:08:59 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74615/
-----------------------------------------------------------


(Updated 九月 20, 2023, 8:57 a.m.)


Review request for ranger.


Summary (updated)
-----------------

RANGER-4420: Fixing the "Slow HTTP Denial of Service (DoS) Attack" 
vulnerability for Ranger Admin.


Bugs: RANGER-4420
    https://issues.apache.org/jira/browse/RANGER-4420


Repository: ranger


Description
-------

For Ranger Admin, we detected the vulnerability "Slow HTTP Denial of Service 
(DoS) Attack".

This is because the embedded tomcat code is not set in the connectionTimeout 
parameters, we can increase the configurable parameters "`ranger. Service. 
HTTP. Connector. Attrib. ConnectionTimeout`" to repair it.
```java
server.getConnector().setAttribute("connectionTimeout",EmbeddedServerUtil.getLongConfig("ranger.service.http.connector.attrib.connectionTimeout",
 10000L)); 
```
At the same time, we can modify the value in the 
"`ranger-admin/ews/webapp/WEB-INF/classes/conf/ranger-admin-site.xml`" 
configuration file, which is set to 10000ms by default.
```xml
<property>
    <name>ranger.service.http.connector.attrib.connectionTimeout</name>
    <value>1000000</value>
</property>
```


Diffs
-----

  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 a0d616925 


Diff: https://reviews.apache.org/r/74615/diff/1/


Testing
-------

#### Step 1: Run the command "slowhttptest -c 400 -H -i 10 -r 200 -t GET -u 
http://rangerhost:6080/ -x 24 -p 3 -l 200"

##### Final output:

 Wed Sep 20 13:57:04 2023:
 slow HTTP test status on 15th second:

 initializing:        0
 pending:             0
 connected:           3
 error:               0
 closed:              397
 service available:   YES
 Wed Sep 20 13:57:04 2023:
 Test ended on 15th second
 Exit status: No open connections left

***Note: The connection is closed properly***

#### Step 2: Modify the configuration file 
`ranger-admin/ews/webapp/WEB-INF/classes/conf/ranger-admin-site.xml`, and add 
parameters `ranger.service.http.connector.attrib.connectionTimeout = 1000000` 
(a larger value)

```xml
<property>
    <name>ranger.service.http.connector.attrib.connectionTimeout</name>
    <value>1000000</value>
</property>
```

#### Step 3: Restart ranger-admin

#### Step 4: Run the command from step 1

##### Final output (after 200 seconds) :

 Wed Sep 20 14:16:48 2023:
 slow HTTP test status on 200th second:

 initializing:        0
 pending:             0
 connected:           400
 error:               0
 closed:              0
 service available:   YES
 Wed Sep 20 14:16:49 2023:
 Test ended on 201th second
 Exit status: Hit test time limit

***Note: The connection is not closed***


Thanks,

shanyingying

Re: Review Request 74615: RANGER-4420: Fixing the "Slow HTTP Denial of Service (DoS) Attack" vulnerability for Ranger Admin.

Reply via email to