Reputation: 1
Denial of Service Issue
I found the issue below concerning inactive client connections (see Cassandra Security). We are using Cassandra 1.2.4 and the Cassandra JDBC driver as client. Is this still an existing issue?
Quoted from site above:
Denial of Service problem: Cassandra uses a Thread- Per-Client model in its network code. Since setting up a connection requires the Cassandra server to start a new thread on each connection (in addition to the TCP overhead incurred by the network), the Cassandra project recommends utilizing some sort of connection pooling. An attacker can prevent the Cassandra server from accepting new client connections by causing the Cassandra server to allocate all its resources to fake connection attempts. The only pieces of information required by an attacker are the IP addresses of the cluster members, and this information can be obtained by passively sniffing the network. The current implementation doesn’t timeout inactive connections, so any connection that is opened without actually passing data consumes a thread and a file-descriptor that are never released.
Upvotes: 0
Views: 121
Answers (1)
Reputation: 19377
Directly exposing Cassandra to the public network is still a bad idea, and connection pooling is still a good idea, but the native protocol is fully asynchronous.
Upvotes: 1
Related Questions
- Cassandra connectivity issue
- Failure in Cassandra service
- Native Transport Requests All time blocked
- connection problem with cassandra
- High Native-Transport-Requests All time Blocked
- Cassandra Connection Refused
- Cassandra TimeOut?
- Cassandra UnavailableException()
- Cassandra node down...any ideas why?
- Cassandra issues in production