October 27, 2010

The Default Timeout Value for Standard Java Socket is Infinitive!

In my last week I have been doing some stability testing using both the Java standard java.net.Socket and javax.net.ssl.Socket. Which are both are part of the J2SE standard library. What I found out to my big surprise, was the standard value for socket timeout (getSOTimeout()) is infinitive!

What are the consequences of this? Well, except that all blocking socket operation will hang forever. But maybe the biggest problem is, it opens up for Denial of Service (DoS) problems.

Example DoS: A server is overloaded and services it's request slower and slower. And now, if new additional clients connected, even more resources are consumed. What will happen with this system in the end is it will ran out of memory or IO. This is not wanted!

What is wanted is a fail-fast strategy, i.e. client that do not get response in a certain time will close it Socket and report back to interactive user or machine.

1 comment:

Yuriy said...

You should set up socket timeout in OS level instead java application. This approach increase flexibility of antiddedos settings