Bug #100602 for POE-Filter-SSL: [PATCH] (D)DoS issues with malicious clients sending random data

Sat Nov 29 05:47:50 2014 madis555 [...] hot.ee - Ticket created

Subject:	[PATCH] (D)DoS issues with malicious clients sending random data
Date:	Sat, 29 Nov 2014 12:47:36 +0200
To:	bug-POE-Filter-SSL [...] rt.cpan.org
From:	"Sulev-Madis Silber (ketas)" <madis555 [...] hot.ee>

Hello. I have a little patch for POE::Filter::SSL It's bad hack but it works for now. What's wrong is that when SSL client never completes handshake, for example when you just connect to port and start sending contents of /dev/urandom forever, it never fails... there is place in code where it carp()'s about "UNEXPECTED ERROR" but data still gets buffered until all memory is filled. I wonder what's the correct solution... dngor from POE had no idea too, and others in MAGnet : #poe My patch requires POE to kill the offending client's socket once it fails. For that, POE::Filter::SSL call()'s user-configured state to let it know that there's error. At least it only leaks some megabytes instead of gigabytes. I stress-tested this hack... leak never gets bigger than 10M or so. But it's a hack, a bad solution. http://ketas.si.pri.ee/POE-Filter-SSL-anti-ddos-hack.1417257430.diff Thanks.

Message body is not shown because sender requested not to inline it.

Fri Dec 04 09:01:27 2015 PRIVI [...] cpan.org - Correspondence added

Am Sa 29. Nov 2014, 05:47:50, madis555@hot.ee schrieb: Show quoted text

> Hello. > > I have a little patch for POE::Filter::SSL > [...]

Thank you very much! I will address this issue in the next version, showing this hints only if debug mode and only limited in the numbers per time. Regards, Markus

Fri Dec 04 09:01:28 2015 The RT System itself - Status changed from 'new' to 'open'

Wed Mar 30 13:58:07 2016 PRIVI [...] cpan.org - Correspondence added

Fixed in 0.29

Wed Mar 30 13:58:08 2016 PRIVI [...] cpan.org - Status changed from 'open' to 'resolved'