This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: CPU DoS With Python's socket module
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 2.6
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: johzimme, neologix, pitrou
Priority: normal Keywords:

Created on 2012-01-27 17:33 by johzimme, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (7)
msg152103 - (view) Author: John Zimmerman (johzimme) Date: 2012-01-27 17:33
Python's socket module as included in Ubuntu Lucid (python version 2.6.5) does not correctly handle and exclude malformed UDP packets. This means that UDP listening programs written in python on this version are susceptible to malformed-UDP-packet based DoS attacks which cause severe CPU spikes in the python process. The spikes to recover once the attacks cease. If malformed UDP packets are properly identified in the library and excluded this will protect all UDP listening software written in python and using the standard sockets module from similar attacks. Currently all such software is vulnerable to such attacks.
msg152105 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-01-27 17:46
What do you call "malformed UDP packets" and how should they be detected by the library?
msg152106 - (view) Author: John Zimmerman (johzimme) Date: 2012-01-27 17:59
Thanks for your quick response, I downloaded the ISIC tool and used the following command to identify the problem:

udpsic -s rand -d server-ip-address,port

where port is 514 (syslogd) which uses a python script to process the incoming messages.

The command 'netstat -lnup | grep 514' shows python as the bound application.

Thanks,
John
-----Original Message-----
From: Antoine Pitrou [mailto:report@bugs.python.org] 
Sent: Friday, January 27, 2012 12:47 PM
To: John Zimmerman (johzimme)
Subject: [issue13891] CPU DoS With Python's socket module

Antoine Pitrou <pitrou@free.fr> added the comment:

What do you call "malformed UDP packets" and how should they be detected by the library?

----------
nosy: +pitrou

_______________________________________
Python tracker <report@bugs.python.org>
<http://bugs.python.org/issue13891>
_______________________________________
msg152107 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-01-27 18:03
But what does the ISIC tool report and why do you think it is a problem in Python's socket module?

As far as I can read on its website, "ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.)". The IP stack, as well as the UDP and TCP implementations, is in the system's kernel, not in Python.
msg152108 - (view) Author: John Zimmerman (johzimme) Date: 2012-01-27 18:15
Hi Antoine, 

The issue is that the CPU spikes to ~90% utilization for the server during the attack, for as long as the attack lasts.  So the theory is that Python isn't throttling or processing the malformed packets properly.  Copying Renier for any additional info.

Thanks,
John
msg152109 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-01-27 18:24
> The issue is that the CPU spikes to ~90% utilization for the server
> during the attack, for as long as the attack lasts.  So the theory is
> that Python isn't throttling or processing the malformed packets
> properly.  Copying Renier for any additional info.

I don't know who Renier is, but Python is a programming language and
doesn't integrate a "throttling" facility or ad-hoc protection against
network attacks. Other programming languages will show exactly the same
behaviour. The socket module gives access to the system's low-level
socket operations, it is not a high-level network programming framework.

Besides, truly malformed packets will never get processed by Python,
they will be blocked by the kernel (e.g. because of a checksum failure).
msg152113 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2012-01-27 19:34
I don't want to be harsh, but this whole report just doesn't make sense
You're getting 90% CPU usage simply because you're flooding your server.
Closing.
History
Date User Action Args
2022-04-11 14:57:26adminsetgithub: 58099
2012-01-27 19:34:07neologixsetstatus: open -> closed

nosy: + neologix
messages: + msg152113

resolution: not a bug
stage: resolved
2012-01-27 18:24:48pitrousetmessages: + msg152109
2012-01-27 18:15:21johzimmesetmessages: + msg152108
2012-01-27 18:03:33pitrousetmessages: + msg152107
2012-01-27 17:59:27johzimmesetmessages: + msg152106
2012-01-27 17:46:45pitrousetnosy: + pitrou
messages: + msg152105
2012-01-27 17:33:52johzimmecreate