BIND 10 #2494: sync_udp_server (asio) gives in under heavy stress
BIND 10 Development
do-not-reply at isc.org
Mon Nov 19 16:23:30 UTC 2012
#2494: sync_udp_server (asio) gives in under heavy stress
---------------------------------+-----------------------------------------
Reporter: jelte | Owner:
Type: defect | Status: new
Priority: medium | Milestone: New Tasks
Component: b10-auth | Keywords:
Sensitive: 1 | Defect Severity: N/A
Sub-Project: DNS | Feature Depending on Ticket:
Estimated Difficulty: 0 | Add Hours to Ticket: 0
Total Hours: 0 | Internal?: 0
---------------------------------+-----------------------------------------
(marking this as sensitive, not sure if we should treat is as such, but
easier to remove the flag than to add it later)
My slow little personal home server running BIND10 is getting hammered by
what look like reflection attacks on a daily basis (2 megs per second of
strange queries). Apart from overloading my cpu, it is not much of a
problem.
However, at some point asio starts behaving badly; not sure if this is
something in my system, but annoying nonetheless, as it brings down the
whole server; it throws an asio::system_error in socket_->send_to(). That
exception is then propagated up all the way to main.cc where it is caught
and logs the pretty much unhelpful AUTH_SERVER_FAILED.
Sometimes the error is 'invalid argument' and sometimes it is 'permission
denied'.
Currently I'm running with this patch, which solves the issue (it simply
drops the send under the assumption that it is just UDP, and well, if it
fails, what else would you do). It also logs the address it tried to send
to (I use that to stop the floods without having to resort to tcpdump to
see where it came from, I think our normal logging should log some more
remote addresses as well btw).
Note, I have not checked any other code to see if this is needed in more
places, so one part of this task would be to do that should we continue
this approach.
{{{
diff --git a/src/lib/asiodns/asiodns_messages.mes
b/src/lib/asiodns/asiodns_messages.mes
index 8fbafdd..12caee8 100644
--- a/src/lib/asiodns/asiodns_messages.mes
+++ b/src/lib/asiodns/asiodns_messages.mes
@@ -14,6 +14,9 @@
$NAMESPACE isc::asiodns
+% ASIODNS_UDP_SEND_FAIL Error sending UDP packet to %1: %2
+There was an error sending a udp packet. The packet is not sent.
+
% ASIODNS_FD_ADD_TCP adding a new TCP server by opened fd %1
A debug message informing about installing a file descriptor as a server.
The file descriptor number is noted.
diff --git a/src/lib/asiodns/sync_udp_server.cc
b/src/lib/asiodns/sync_udp_server.cc
index 0c577f2..3c3f48e 100644
--- a/src/lib/asiodns/sync_udp_server.cc
+++ b/src/lib/asiodns/sync_udp_server.cc
@@ -148,9 +148,13 @@ SyncUDPServer::handleRead(const asio::error_code& ec,
const size_t length) {
return;
}
- socket_->send_to(asio::buffer(output_buffer_->getData(),
- output_buffer_->getLength()),
- sender_);
+ try {
+ socket_->send_to(asio::buffer(output_buffer_->getData(),
+ output_buffer_->getLength()),
+ sender_);
+ } catch (const asio::system_error& exc) {
+ LOG_ERROR(logger,
ASIODNS_UDP_SEND_FAIL).arg(sender_.address().to_string()).arg(exc.what());
+ }
}
// And schedule handling another socket.
}}}
--
Ticket URL: <http://bind10.isc.org/ticket/2494>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list