[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867074#comment-15867074
]
Patrick Hunt commented on ZOOKEEPER-2693:
-----------------------------------------
Yes, effectively a rate limiter. However I was thinking in terms of number of
4lw that we would allow to run concurrently, vs number of operations per
second. This would address outliers - possibly very long running 4lw. "only let
one 4lw run at a time, even it if takes 20 seconds".
Historically we've limited our dependency on other components. Neither 3.4 nor
3.5 are pulling in guava today. One of the issues we've heard from users is
that (component versioning issues in particular) complicates deployment. I
think adding new dependencies to something like 3.4.10, ostensibly a fix
release, would be unwise.
I threw the idea out there as a suggestion. We can take it or leave it for the
various releases.
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
