PS. If this is an issue for you at the moment you might apply an iptables based filter to address this until a proper patch can be applied. For example something like
iptables -A INPUT -p tcp --syn --dport 2181 -m connlimit --connlimit-above 3 -j REJECT will limit the number of connections from a particular IP address (2181 being the default ZK client port, YMMV) Regards, Patrick On Mon, Nov 27, 2017 at 12:10 PM, Patrick Hunt <[email protected]> wrote: > Hi zhanggang, thank you for the report. Unfortunately the attachment did > not come through (probably stripped by the ML daemon). > > Iiuc this does sound like a problem that would be good to address. We have > code in place to limit the number of concurrent sessions that a particular > IP can hold open at any one time - specifically to address the type of > issue you describe. However I believe it only addresses session count, not > tcp connections. This would be a good one to fix - please create a jira and > if possible submit a patch. > > Thanks! > > Patrick > > On Tue, Nov 21, 2017 at 7:09 AM, zhanggang <[email protected]> wrote: > >> >> >> Hi Zookeeper expert, we encountered a slow attack problem, described as >> follows, please help to analyze and confirm, thank you very much. >> >> >> >> *Problem:* >> >> In the client using some method (such as telnet) to establish a tcp >> connection with server-side zookeeper listening port , but after the >> establishment of tcp connection, the client does not send any data. >> However, apache will not disconnect this tcp connection, may lead to the >> number of connections exhausted , Resulting in DOS >> >> >> >> *The attack process**:* >> >> 1. The client executes the telnet service port >> >> Start the client telnet server port 21816,53236,50548, do not exit for a >> long time: >> >> Excuting an order: >> >> telnet 3.101.3.119 21816 >> >> telnet 3.101.3.118 53236 >> >> telnet 3.101.3.124 50548 >> >> >> > >
