Svnserve DoS

From: Bostjan Skufca <bostjan_at_a2o.si>
Date: Tue, 8 Nov 2011 11:36:52 +0100

Hello,

(firstly I apologise for mailing to both lists simultaneously but this
concerns both products)

One of our developers accidentaly stumbled upon an effective way to DoS the
whole server by unknowingly trying to access parts of SVN repo he was not
authorized for. The svnserve daemon spawned a child which replied with
"authorization error", but developer's client (TortoiseSVN) just created
new connection and tried again, in a loop. For unknown reason, it also did
not close previous connection and this resulted in creation of several
thousand svnserve processes and server crash due to exhausted RAM issue.

SVN server was running in standalone mode, version 1.7.1.
Client has TortoiseSVN version 1.7.0.

I have two questions:

1.) is this a known server issue and is there a way to limit number of
processes svnserve creates in standalone mode? (we've switched ti xinetd
currently to prevent DoS)

2.) is this a known client issue?

Best regards,
b.
Received on 2011-11-08 11:37:28 CET

This message: [ Message body ]
Next message: Stefan Sperling: "Re: Cross-device link problem with 1.7.x"
Previous message: Markus Schaber: "AW: [PATCH] commit --include-externals (v2)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]