UNIX Socket FAQ

A forum for questions and answers about network programming on Linux and all other Unix-like systems

You are not logged in.

  • Index
  • » C
  • » Question about server threads implementation

#1 2011-06-05 06:59 PM

rcbanditg
Guest

Question about server threads implementation

Hi,
   I have a question about network programming. I need to implement network server which must handle network clients. How to implement it:

1. Using threaded pool - when the server daemon is started for example 60 threads are created and each new client is handled by one thread. When the client processing is finished the thread is freed and ready for use again. I heard that in the threaded pool solution the server vulnerable to DDOS attack.

2. Using new thread for each new client - when the server must process client request he creates new thread and the thread handles the client. When the processing is finished the thread is destroyed.

So which one of them can you recommend me to use?
Is there another solution?

Regards
Peter

#2 2011-06-06 08:39 AM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,200

Re: Question about server threads implementation

A good overview for different approaches: http://kegel.com/c10k.html#strategies

But the main ways are one thread/process per client, or IO multiplexing with
select/poll/etc, usually on non-blocking sockets. Or a combination of the two.

A threadpool can be vulrenable to DDOS when the number of threads is fixed
and clients can stall the server somehow. Then an attacker just has to connect
as many times as there are threads in the pool and stall the server, so no one
else can connect. If the server disconnects unresponsive client and the pool is
big enough, then it's less of a problem. But it's hard to see the difference
between very slow and malicious clients.

The second approach you describe is basically the same, but with unlimited
number of threads. It doesn't really matter if you create new threads or
keep old ones around, that's a minor detail.

What approach to take depends on your personal preferences and on what
the server is actually doing. If the server has to do a lot of file IO to handle
requests, using threads is probably better than multiplexing. But if handling
requests doesn't take much time, or just network IO, the multiplexing can be
better. All in all there is no single right answer, it depends on the situation.

Offline

#3 2011-06-06 12:15 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,759
Website

Re: Question about server threads implementation

A threadpool can be vulrenable to DDOS

Honestly, EVERY single approach with a publically accessible server is vulnerable to DDOS...  There's absolutely nothing you can do to fully guard against it...  If they aren't hitting your fixed thread/process limit, they're instead exhausting all your RAM or hitting your open FD limit or something else...  The only way to be safe from DDOS attack is to not be publically accessible to all; ie. either exist only on a private network of some sort, or if on the public Internet, require some kind of up-front user authentication, so unauthorized users can be quickly and easily booted without using up much resources...  (And, the latter can still get slowed down at least by an attack, and might get DOS'd by excessive TIME_WAIT sockets due to you closing so many of the attackers' sockets so quickly...  Plus, it then becomes vulnerable to brute force password cracking attacks, if using passwords for your auth...)  Basically, if you're on the Net, you're vulnerable to DDOS, and there's really not a whole lot you can do about it, so trying to guard against it is mostly just futile...

Offline

#4 2011-08-19 05:30 PM

developwyo
Member
Registered: 2011-08-16
Posts: 6

Re: Question about server threads implementation

RobSeace wrote:

A threadpool can be vulrenable to DDOS

Honestly, EVERY single approach with a publically accessible server is vulnerable to DDOS...  There's absolutely nothing you can do to fully guard against it...  If they aren't hitting your fixed thread/process limit, they're instead exhausting all your RAM or hitting your open FD limit or something else...  The only way to be safe from DDOS attack is to not be publically accessible to all; ie. either exist only on a private network of some sort, or if on the public Internet, require some kind of up-front user authentication, so unauthorized users can be quickly and easily booted without using up much resources...  (And, the latter can still get slowed down at least by an attack, and might get DOS'd by excessive TIME_WAIT sockets due to you closing so many of the attackers' sockets so quickly...  Plus, it then becomes vulnerable to brute force password cracking attacks, if using passwords for your auth...)  Basically, if you're on the Net, you're vulnerable to DDOS, and there's really not a whole lot you can do about it, so trying to guard against it is mostly just futile...

Good advice. I found this out the hard way, and even though I am now only working with VPS protocols I am still having trouble here and there. So much aggression out there always, which is why I appreciate the extra level of security in online file storage. I already feel unsafe at home, can't have my computer life under the same harassment.

Last edited by developwyo (2011-09-22 05:48 PM)

Offline

  • Index
  • » C
  • » Question about server threads implementation

Board footer

Powered by FluxBB