zhuguoqiang / rfc5766-turn-server

Automatically exported from code.google.com/p/rfc5766-turn-server
0 stars 0 forks source link

Sockets leak and DOS attack prevention #42

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1.I use pjnath library, and pjsua client(UAS,UAC)

2.Client fast speed duplicate connect and disconnect, and then sometimes(upon 
4) later will reproduce the problem. I find 
client_ss_allocation_timeout_handler(refresh_client_ss_allocation_timeout_handle
r) the callback will run loss sometimes. why? This libevent library is a issue?

What version of the product are you using? On what operating system?
The new version also has this problem.

Please provide any additional information below.
Sorry, I know little English, I hope you can understand what express meaning .
Thank you!

Original issue reported on code.google.com by yusunxu...@gmail.com on 18 Jul 2013 at 6:01

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
when disconnet, the client has disconnet complete, and socket file descriptor 
has release of client. But socket file descriptor has not release of turnserver.

Original comment by yusunxu...@gmail.com on 18 Jul 2013 at 6:10

GoogleCodeExporter commented 8 years ago
Sorry, I indeed have difficulty understanding what you mean. Do you mean that 
the socket file descriptors are not released, sometimes ? I've never seen that 
problem. I'll double-check it. What kind of test configuration are you running ?

Original comment by mom040...@gmail.com on 18 Jul 2013 at 3:18

GoogleCodeExporter commented 8 years ago
I'll try to play with my DOS tests to reproduce the problem.

Original comment by mom040...@gmail.com on 18 Jul 2013 at 3:59

GoogleCodeExporter commented 8 years ago
I managed to reproduce a rare minor sockets leak in an intensive DOS attack 
test. I am working on it.

Original comment by mom040...@gmail.com on 18 Jul 2013 at 7:24

GoogleCodeExporter commented 8 years ago

Original comment by mom040...@gmail.com on 18 Jul 2013 at 11:28

GoogleCodeExporter commented 8 years ago
This will be fixed in 2.1.1.1

Original comment by mom040...@gmail.com on 18 Jul 2013 at 11:30

GoogleCodeExporter commented 8 years ago
Thank you for your help. 
The attach file is my turnserver.conf, and the mysql DB config file is default 
config file.
I use this command to add the database data:
turnadmin -a --mysql-userdb="host=localhost dbname=*** user=*** password=*** 
connect_timeout=30" -u test –r reTurn -p 1234
And all other operations is the default.
Sorry, my english is not good.

Original comment by yusunxu...@gmail.com on 19 Jul 2013 at 1:27

Attachments:

GoogleCodeExporter commented 8 years ago
Thanks.

I found a small sockets leak and I am fixing it.

Unfortunately, even if the TURN server does everything correctly then still it 
is possible to reach the "too many open sockets" state. If you are quickly 
opening new sessions, and especially if you set longer lifetime on the sessions 
(like 1800 or 3600) then eventually there will be more sockets than you system 
allow. UDP sessions do not have explicit "close" procedure - they are getting 
closed on timeout, by default it is 10 minutes.

You can set user quotes to prevent single user from opening too many sessions. 
Other than that, not much can be done. After the socket limit exhaustion, the 
server stops accepting the new connections; but it is pretty much alive and it 
will eventually recover when the unused sessions will be cleaned out. Then the 
server will be available again.

You can also start the TURN server from the root account, then on some systems 
it will have higher limit of sockets number. 

Original comment by mom040...@gmail.com on 19 Jul 2013 at 1:39

GoogleCodeExporter commented 8 years ago
Yes, Sometimes,the socket file are not released. This occur at client connect 
and disconnect fast speed. the not release socket file  is create by 
create_unbound_ioa_socket func. My client connect will produce 24 socket file 
descriptor one time. Beauese one time has UAC and UAS client.

Original comment by yusunxu...@gmail.com on 19 Jul 2013 at 1:41

GoogleCodeExporter commented 8 years ago
As I said, the UDP sessions do not have "disconnect" procedure - they are 
getting closed on timeout. You can make that cleanup quick if you set short 
allocation session lifetime. So, if you are using default lifetime (600 
seconds) and you are connection 100 sessions per second, then in 1 minutes you 
will have 6000 sessions, and so on. The TURN server will start releasing 
sessions only after 10 minutes, unless you explicitly use short LIFETIME 
attribute in the session allocation. After 2 minutes you will see messages like 
"too many open sockets" and between 2nd and 10th minutes the TURN server will 
reject any new connection. After 10th minute, it will start accepting them 
again.

Original comment by mom040...@gmail.com on 19 Jul 2013 at 1:48

GoogleCodeExporter commented 8 years ago
Thanks a lot!
I know what you mean. I has a question, When client connect to turnserver, it 
will registered refresh_client_ss_allocation_timeout_hander event, but 
sometimes the client_ss_allocation_timeout_handler callback has not run, so at 
this time the unbount ioa socket will leak.This situation can improve by way of 
what you said ?

Original comment by yusunxu...@gmail.com on 19 Jul 2013 at 4:35

GoogleCodeExporter commented 8 years ago
I say disconnect is close the client proecss. so at this time, the 
client_ss_allocation_timeout event will run, but sometimes it has not run

Original comment by yusunxu...@gmail.com on 19 Jul 2013 at 4:38

GoogleCodeExporter commented 8 years ago
I changed the code, it will always run, with an interval. I changed the meaning 
of that callback. It was a one-time callback, now it will be a "persistent" 
event - a sort of garbage collector. You can take the latest code from SVN as a 
preview.

Original comment by mom040...@gmail.com on 19 Jul 2013 at 4:40

GoogleCodeExporter commented 8 years ago
Thanks a lot!
I run the new version of TURN Server from SVN, Now, It run ok. It has not 
produce the problem.I will do a pressure testing again .

Original comment by yusunxu...@gmail.com on 19 Jul 2013 at 5:09

GoogleCodeExporter commented 8 years ago
I put 2.1.1.1 tarball into the downloads.

Original comment by mom040...@gmail.com on 19 Jul 2013 at 5:15

GoogleCodeExporter commented 8 years ago
I produced a new build, 2.1.2.0, that is specially optimized for Linux. Its
main focus is DOS attacks defense in Linux environment.

Original comment by mom040...@gmail.com on 20 Jul 2013 at 11:23