Python's socket module as included in Ubuntu Lucid (python version 2.6.5) does not correctly handle and exclude malformed UDP packets. This means that UDP listening programs written in python on this version are susceptible to malformed-UDP-packet based DoS attacks which cause severe CPU spikes in the python process. The spikes to recover once the attacks cease. If malformed UDP packets are properly identified in the library and excluded this will protect all UDP listening software written in python and using the standard sockets module from similar attacks. Currently all such software is vulnerable to such attacks.

What do you call "malformed UDP packets" and how should they be detected by the library?

Thanks for your quick response, I downloaded the ISIC tool and used the following command to identify the problem:

udpsic -s rand -d server-ip-address,port

where port is 514 (syslogd) which uses a python script to process the incoming messages.

The command 'netstat -lnup | grep 514' shows python as the bound application.

Thanks,
John
-----Original Message-----
From: Antoine Pitrou [mailto:report@bugs.python.org] 
Sent: Friday, January 27, 2012 12:47 PM
To: John Zimmerman (johzimme)
Subject: [issue13891] CPU DoS With Python's socket module

Antoine Pitrou <pitrou@free.fr> added the comment:

What do you call "malformed UDP packets" and how should they be detected by the library?

----------
nosy: +pitrou

_______________________________________
Python tracker <report@bugs.python.org>
<http://bugs.python.org/issue13891>
_______________________________________

But what does the ISIC tool report and why do you think it is a problem in Python's socket module?

As far as I can read on its website, "ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.)". The IP stack, as well as the UDP and TCP implementations, is in the system's kernel, not in Python.

Hi Antoine, 

The issue is that the CPU spikes to ~90% utilization for the server during the attack, for as long as the attack lasts.  So the theory is that Python isn't throttling or processing the malformed packets properly.  Copying Renier for any additional info.

Thanks,
John

> The issue is that the CPU spikes to ~90% utilization for the server
> during the attack, for as long as the attack lasts.  So the theory is
> that Python isn't throttling or processing the malformed packets
> properly.  Copying Renier for any additional info.

I don't know who Renier is, but Python is a programming language and
doesn't integrate a "throttling" facility or ad-hoc protection against
network attacks. Other programming languages will show exactly the same
behaviour. The socket module gives access to the system's low-level
socket operations, it is not a high-level network programming framework.

Besides, truly malformed packets will never get processed by Python,
they will be blocked by the kernel (e.g. because of a checksum failure).

I don't want to be harsh, but this whole report just doesn't make sense
You're getting 90% CPU usage simply because you're flooding your server.
Closing.