Design issue Discouraged users can shut down all php daemons

Jawsh

Active member
Code:
        // random loading delay
        if ($options->discourageDelay['max'])
        {
            usleep(mt_rand($options->discourageDelay['min'], $options->discourageDelay['max']) * 1000000);
        }

Code:
        if ($this->_request->isPost() && $delay = XenForo_Application::get('options')->delayPostResponses)
        {
            usleep($delay * 1000000);
        }

Because of how sleep() works, a disgruntled discouraged user can launch (n = pm.max_children) requests simultaneously and lock up the entire server until the delay is over. This makes application level DoS attacks t r i v i a l.
 
There's literally nothing that we can do about this in PHP. It's very dependent on your server setup and, of course, how you use this particular option. The same argument would apply if you find any sort of semi-slow to generate page.

I'd also note that your second example is a debugging option, not one that's exposed to end users.
 
There's literally nothing that we can do about this in PHP. It's very dependent on your server setup and, of course, how you use this particular option. The same argument would apply if you find any sort of semi-slow to generate page.

I'd also note that your second example is a debugging option, not one that's exposed to end users.
Make it so that if Memcache is enabled, an IP-specific token is set for the lifetime of the pause and subsequent requests within that token's lifetime cause the page to instantly 500.
 
Back
Top Bottom