[JDEV] Possible Denial of Service in mio_ssl.c
Nathan Sharp
spamnps+jabber at phoenix-int.com
Fri Jun 7 09:31:09 CDT 2002
Martin,
This is the bug that I just found the other day! Look back to last week
and you'll see a patch I submitted to the jdev list which fixes this
problem. (suspicious that this script happens just after I posted the
patch ;-)
The problem is that non-blocking mode is not inherited to the accepted
socket, and isn't set until after the initial ssl negotiation, thereby
locking up the jabber server until the ssl is negotiated. The patch
sets the non-blocking mode immediately, and regular karma and rate
limits take care of everything past that.
Good luck!
Nathan
Martin Lesser wrote:
>The last days we had some trouble with a script-kiddie:
>
>Looks like this kid wrote a script which permanently (at least every
>second) tried to connect to port 5223 of our Jabber-Server (1.4.2)
>without having a real ssl-client at his side.
>
>
>
More information about the JDev
mailing list