YaCy-Bugtracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000764YaCy[All Projects] Generalpublic2017-07-22 09:302017-08-29 19:42
Reportersmokingwheels 
Assigned To 
PrioritylowSeveritycrashReproducibilityalways
StatusnewResolutionopen 
ETAnone 
PlatformLinuxOSOS Version
Product VersionYaCy 1.9 
Target VersionFixed in Version 
Summary0000764: Its possible to overload a peer just by asking for.
DescriptionIts possible to overload a peer just by asking for the network peers page with a wget loop.
My system slowly uses more swap area until the system is non responsive.
 
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0001469)
luc (reporter)
2017-08-16 08:26

Are you requesting the raw /Network.html page (with the network picture overview), or one page such as /Network.html?page=1&maxCount=1000 (Active Principal and Senior Peers)?
(0001470)
smokingwheels (reporter)
2017-08-16 22:32

Yes thats the URL there are others. Most peers it is a public page and open to abuse. I have seen my JVM spike a few times and make my system go into heavy swap action.
 
Could you have a http 503 if particular IP is accessing your peer too often?
I guess one would want to be able to set the threshold depending on CPU Power eg RaspberryPi or similar or some multi-core cloud computer.
(0001471)
luc (reporter)
2017-08-17 08:29

Yes more generally integrating the Jetty Dos filter protection (http://www.eclipse.org/jetty/documentation/current/dos-filter.html [^]) is maybe something to consider.

But again on this specific case, which URL are you exactly requesting? I ask this to be sure to reproduce your case, because the overview page with the picture (/Network.html) already implements some protection against abuses from unauthenticated users (see https://github.com/yacy/yacy_search_server/blob/Release_1.92/htroot/NetworkPicture.java#L53 [^]).
(0001472)
smokingwheels (reporter)
2017-08-29 19:42

It maybe because I have a very slow PC.

Yes this is the page I can access on most peers with default settings.
 /Network.html?page=1&maxCount=1000 (Active Principal and Senior Peers)

I know you can password protect the pages with an extra setting as it stands now.

- Issue History
Date Modified Username Field Change
2017-07-22 09:30 smokingwheels New Issue
2017-08-16 08:26 luc Note Added: 0001469
2017-08-16 22:32 smokingwheels Note Added: 0001470
2017-08-17 08:29 luc Note Added: 0001471
2017-08-29 19:42 smokingwheels Note Added: 0001472


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker