[Zope] ZOracleDA
Christopher Petrilli
petrilli@digicool.com
Sun, 16 Jan 2000 17:26:22 -0500
On 1/14/00 5:14 PM, Nemeth Miklos at nemeth@iqsoft.hu wrote:
> I am stress-testing ZOracleDA, and found it almost perfect for large web
> applications:
> it supports multi-threaded access and a kind of connection pooling, and
> quite reliable.
Almost perfect is good :-)
> However, there are two points, which makes me a bit anxious:
>
> (1) Doug Hellman mentioned that ZOracleDA does not stop long running
> requests when the user cancels the HTTP request. Is it possible for a
> malicious cracker to conduct a denial-of-service attack exploiting this
> behaviour?
> I think this is not a ZOracleDA specific problem, but a general issue
> with Oracle. Do other technologies (PHP, mod_perl, etc) have a solution
> for this problem? Is this a real threat?
I do not believe anyone has a solution for this problem, and yes it could be
used as an attack, pretty much regardless of their type. This is a form of
resource starvation, and it is unavoidable without active defenses,
something we don't have right now (nor does Apache, which can be starved the
same way). Having said that, there is really no way that I know of to know
that the user has stopped their HTTP request, it's not part of the protocol,
you'd have to detect the socket being closed pre-maturely, which would NEVER
be available thru PCGI or FastCGI, though it is theoretically feasible in
ZServer to propagate this information.
> (2) [ Nemeth talks about bind variables] We benchmarked this
> behaviour and found the 20 - 30 % more Oracle resources are used for
> this extra parsing.
Wow I wasn't aware of this problem being performance related, but in
retrospect it makes perfect sense. 20-30% is a pretty substantial amount.
> Is there a way to force ZOracleDA to use binding instead of literal
> substitution?
There is not currently, though obviously its feasible. I'll try and do some
research about this in the near term and factor it into product plans!
Chris
--
| Christopher Petrilli Python Powered Digital Creations, Inc.
| petrilli@digicool.com http://www.digicool.com