Sockets leak and DOS attack prevention about rfc5766-turn-server HOT 17 CLOSED

[deleted comment]

when disconnet, the client has disconnet complete, and socket file descriptor 
has release of client. But socket file descriptor has not release of turnserver.

Sorry, I indeed have difficulty understanding what you mean. Do you mean that 
the socket file descriptors are not released, sometimes ? I've never seen that 
problem. I'll double-check it. What kind of test configuration are you running ?

I'll try to play with my DOS tests to reproduce the problem.

I managed to reproduce a rare minor sockets leak in an intensive DOS attack 
test. I am working on it.

This will be fixed in 2.1.1.1

Thank you for your help. 
The attach file is my turnserver.conf, and the mysql DB config file is default 
config file.
I use this command to add the database data:
turnadmin -a --mysql-userdb="host=localhost dbname=*** user=*** password=*** 
connect_timeout=30" -u test –r reTurn -p 1234
And all other operations is the default.
Sorry, my english is not good.

Thanks.

I found a small sockets leak and I am fixing it.

Unfortunately, even if the TURN server does everything correctly then still it 
is possible to reach the "too many open sockets" state. If you are quickly 
opening new sessions, and especially if you set longer lifetime on the sessions 
(like 1800 or 3600) then eventually there will be more sockets than you system 
allow. UDP sessions do not have explicit "close" procedure - they are getting 
closed on timeout, by default it is 10 minutes.

You can set user quotes to prevent single user from opening too many sessions. 
Other than that, not much can be done. After the socket limit exhaustion, the 
server stops accepting the new connections; but it is pretty much alive and it 
will eventually recover when the unused sessions will be cleaned out. Then the 
server will be available again.

You can also start the TURN server from the root account, then on some systems 
it will have higher limit of sockets number. 

Yes, Sometimes,the socket file are not released. This occur at client connect 
and disconnect fast speed. the not release socket file  is create by 
create_unbound_ioa_socket func. My client connect will produce 24 socket file 
descriptor one time. Beauese one time has UAC and UAS client.

As I said, the UDP sessions do not have "disconnect" procedure - they are 
getting closed on timeout. You can make that cleanup quick if you set short 
allocation session lifetime. So, if you are using default lifetime (600 
seconds) and you are connection 100 sessions per second, then in 1 minutes you 
will have 6000 sessions, and so on. The TURN server will start releasing 
sessions only after 10 minutes, unless you explicitly use short LIFETIME 
attribute in the session allocation. After 2 minutes you will see messages like 
"too many open sockets" and between 2nd and 10th minutes the TURN server will 
reject any new connection. After 10th minute, it will start accepting them 
again.

Thanks a lot!
I know what you mean. I has a question, When client connect to turnserver, it 
will registered refresh_client_ss_allocation_timeout_hander event, but 
sometimes the client_ss_allocation_timeout_handler callback has not run, so at 
this time the unbount ioa socket will leak.This situation can improve by way of 
what you said ?

I say disconnect is close the client proecss. so at this time, the 
client_ss_allocation_timeout event will run, but sometimes it has not run

I changed the code, it will always run, with an interval. I changed the meaning 
of that callback. It was a one-time callback, now it will be a "persistent" 
event - a sort of garbage collector. You can take the latest code from SVN as a 
preview.

Thanks a lot!
I run the new version of TURN Server from SVN, Now, It run ok. It has not 
produce the problem.I will do a pressure testing again .

I put 2.1.1.1 tarball into the downloads.

I produced a new build, 2.1.2.0, that is specially optimized for Linux. Its
main focus is DOS attacks defense in Linux environment.