HTTPy

DOS by capturing all threads

Bug #964191 reported by Corbin
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HTTPy
Fix Committed
High
Corbin

Bug Description

By 'thread' I mean a threaded ClientHandler object.

After a connection is made and passed off to the queue, one of the threads takes it out of the queue and handles it. Basically, it just waits for the client to send his request, figures out what the client wants, sends it to the client, and closes the connection. But if the client never sends a request, the thread just sits and waits until the client closes the connection. Using this, an attacker is able to deny service to legitimate clients by capturing all of the server's threads. This is very ease to do, as the default configuration uses only five threads.

I am attaching the exploit code I used to research this vulnerability.

I would recommend fixing this bug by setting a limit on how long a thread can wait for a request. Something like 25 ms. If the connected client doesn't send a request in that time, the thread just closes the connection and moves on to the next client on the queue.

Revision history for this message
Corbin (corbin) wrote :
visibility: private → public
Corbin (corbin)
Changed in httpy:
status: Confirmed → Fix Committed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.