[Twisted-Python] Protocol handler are open to DoS attacks

Itamar Shtull-Trauring lists at itamarst.org
Tue Sep 25 09:43:33 MDT 2001


In general, I've been noticing that the behaviour of protocol given illegal 
inputs is problematic - no length limits, and garbage is raised as part of 
exceptions.

Problem 1 leads to giant memory usage - a line receiver can receive MBs of 
MBs of data it will happily buffer until it gets a line break. The other 
problem leads to mucho garbage and exceptions in the log.

See protocols.basic.SafeNetstringReceiver to see how I solved it for 
netstrings.

You can test both things in unix - run a webserver on port 8080, then:

# send infinite data
$ yes | netcat localhost 8080

# send garbage
$ cat /dev/urandom | netcat localhost 8080






More information about the Twisted-Python mailing list