stackoom
  简体   繁体   中英

Java: Secure socket accepting

 原文  2014-07-03 13:36:12       java/ sockets

Question

I got this multi-threaded server application that someone else wrote. When it is going to accept a Socket-object with it's ServerSocket-object, it's running trough a method called "acceptSocketSafe".

Here is a snippet of the program where I have included the parts of code needed: 

public Socket acceptSocketSafe(ServerSocket x)  {
    boolean socketFound = false;
    Socket socket = null;

    do  {
        try {
            socket = x.accept();
            int i = socket.getInputStream().read();

            if ((i & 0xFF) == 14)   {
                socketFound = true;
            }
        } catch (Exception e)   {

        }
    } while (!socketFound);

    return socket;
}

What I don't understand is how the method "acceptSocketSafe" makes the socket acception safer than how I would have done it (the simple, regular way). (I believe it has something with excluding connections with bad intentions (DDoS, for example)).

Thank you for any explanation of this method!

2 answers

solution1
 1  2014-07-03 14:37:20

It doesn't make it safer at all. It makes it worse.

This code does client I/O on the accepting thread. That means that all a malevolent client has to do to mount a DOS attack is to connect and send nothing. Then no other client can be accepted until that client either sends something or closes the connection.

As for what it does, it just rejects client connections that don't start with a 14 byte. It's a pretty weak test: 1 in 256 random attempts will pass. It would be better accomplished by proper error checking in the application protocol. You still have to do that anyway so there is no actual advantage at all.

This code also leaks rejected sockets.

Throw it away.

solution2
 1 ACCPTED  2014-07-03 14:37:58

This is security by obscurity. The socket is accepted anyway, only that it checks that the client sends 0x0E (14) as the first byte. If it doesn't, it throws (without closing the accepted socket btw.).

This could still DDoS'ed by just not sending anything after connecting...

Edit: Looking at it closer, it doesn't even need to be a distributed attack. A single client just not sending any byte will block the accept loop entirely, mission accomplished. Whoever wrote it didn't know what he was doing.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question java socket not accepting byte array java secure socket without authentication? java secure client socket authentication java socket listen without accepting the connection? Java HTTPS Client wit Secure Socket Java How to make a socket connection secure? java socket server program not accepting connections after some time Java socket server -> Only accepts one request then stops accepting? Java TCP server socket accepting multiple clients on different ports What happens after accepting client in java server socket
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM