[jira] [Commented] (JAMES-1427) DoS scenario(s) in SMTP server

Sun, 31 Mar 2013 03:07:20 -0700 

    [ 
https://issues.apache.org/jira/browse/JAMES-1427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13618295#comment-13618295
 ] 

Eric Charles commented on JAMES-1427:
-------------------------------------

Hi Andrzej,
Patch looks good but I have some reject trying to apply it on trunk

patch -p0 --dry-run < JAMES-1427.patch 
(Stripping trailing CRs from patch.)
patching file 
protocols/smtp/src/main/java/org/apache/james/protocols/smtp/core/fastfail/MaxUnknownCmdHandler.java
Hunk #1 FAILED at 27.
Hunk #2 FAILED at 36.
Hunk #3 FAILED at 55.
3 out of 3 hunks FAILED -- saving rejects to file 
protocols/smtp/src/main/java/org/apache/james/protocols/smtp/core/fastfail/MaxUnknownCmdHandler.java.rej
(Stripping trailing CRs from patch.)


                
> DoS scenario(s) in SMTP server
> ------------------------------
>
>                 Key: JAMES-1427
>                 URL: https://issues.apache.org/jira/browse/JAMES-1427
>             Project: James Server
>          Issue Type: Bug
>          Components: SMTPServer
>    Affects Versions: 3.0-beta3
>            Reporter: Andrzej Rusin
>         Attachments: JAMES-1427.patch
>
>
> 1. SMTP server allows unlimited number of invalid commands, which may waste 
> network bandwidth.
> 2. The invalid commands go straight to the logs with level INFO, which can 
> easily fill up the server disk.
> Additionally:
> 3. After the max message size is reached, the SMTP server denies the message, 
> but client keeps sending, which makes the remaining part of the message go 
> straight to the log because of 2.
> Ideas to fix:
> A. Do not log more than N invalid commands per connection - solve 2,
> B. Drop connection after Nth (consecutive?) invalid command - solve 1 and 2,
> C. (This one is questionable) Drop the connection after max message size is 
> reached - solve 3

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to