RE: Svnserve DoS

Bostjan Skufca wrote:

> One of our developers accidentaly stumbled upon an effective way to DoS
> the whole server by unknowingly trying to access parts of SVN repo he was
> not authorized for. The svnserve daemon spawned a child which replied with
> "authorization error", but developer's client (TortoiseSVN) just created new
> connection and tried again, in a loop. For unknown reason, it also did not close
> previous connection and this resulted in creation of several thousand svnserve
> processes and server crash due to exhausted RAM issue.

Does that happen with ordinary operations like showing the log
and checking out or is this caused by the repository browser?
The latter will e.g. try to read the content of all immediate sub-folders.

Can you reproduce the problem with the command line client.

> SVN server was running in standalone mode, version 1.7.1.

What OS are you using on the server-side?

Have you tried the threaded server (-T parameter)?
At least the extra costs per requests could be lower.

> Client has TortoiseSVN version 1.7.0.

> I have two questions:

> 1.) is this a known server issue and is there a way to limit number of processes
> svnserve creates in standalone mode? (we've switched ti xinetd currently to prevent DoS)
> 2.) is this a known client issue?

AFAIK, this is not a known issue. From the sound of it,
I would expect it to be a client-induced problem. But I
can't say whether it is the TSVN code causing the problem
or the svn client libs used by TSVN.

-- Stefan^2.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=2876265

To unsubscribe from this discussion, e-mail: [dev-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-11-08 14:04:33 CET