On 12/21/2012 3:31 PM, Chris Hostetter wrote:
: My Solr 4.1 dev server doesn't seem to have a problem handling this. I see a
: substantially similar exception when I send a similar request.
:
: I have a clarification, at least for 4.1: That specific exception is when it's
: a large negative number - larger than the numFound of the query. With a small
: negative number, it's a different exception. I won't be trying a small
weird ... definitely seems like something we should just nip in the bud --
fail hard and fast if start is < 0.
can you file a jira please?
Looks like it was a malicious user trying to break into our site. That
user was sending unusual values for our site parameters, including a
negative page number. The webapp happily used that value as-is. The
inputs are now being scrubbed.
In 3.5, the negative start parameter on the distributed search is
resulting in the same negative number being moved to the rows parameter
on the searches being sent to the shards. If I'm not mistaken, a
negative number for rows means "all results." I suspect that the DoS
problem is because the shards are trying to send all their matching rows
- the log entries say this is about 8 million on each of six shards.
This overloads the system, which valiantly tries to make the insane
request finish, and everything comes to a halt.
Failing hard & fast if there's a negative number on the start parameter
would stop the entire problem from happening. I am thinking this means
that I should not worry about the underlying DoS issue in 3.x and just
file the first one for 3.6 and 4.0. Is that right?
I have been experimenting in 4.1 and it doesn't seem to have the denial
of service problem. It looks like the entire request gets killed at the
first exception.
Thanks,
Shawn
