Next: , Previous: Connecting to Pedro, Up: Top

10 Denial of Service

Pedro's was designed as a message transport for communicating agents, typically in a local area network. It was not designed to deal with security issues relating to open networks. Even so, Pedro needs to take into account various DOS issues because client programs can have bugs and may block in ways that might cause problems for the Pedro server.

Consequently, the Pedro server is designed to overcome various problems caused by badly behaving clients.

Firstly, the length of any newline terminated string sent to the server has to be less than a bound that can be set using the -S switch at startup. The default is 1024. If the server does not find a newline (from a given client) before it reaches the bound then that string will be ignored.

Secondly, in Prolog, there are many ways to create infinite computation, either by constructing infinite (cyclic) terms and then processing them or by calling other non-terminating goals. Because Pedro uses occurs checking within unification then infinite terms cannot be constructed. Also, the valid goals used in subscriptions cannot produce infinite computation.

Thirdly, when a client disconnects, all its subscriptions are automatically removed.

Finally, there is the issue of blocking in the Pedro server. Because Pedro was designed to support communicating agents then we need to guarantee that messages from a given client will be processed in the order sent and that no messages will be dropped.

Consider a client that has subscribed but does not read notifications sent to it. Eventually, the Pedro server will not be able to send any more notifications to this client and so will have to block on any notifications that this client should receive. This may then cause notifying clients to block. To avoid this problem the Pedro server attaches a timeout to clients that causes the Pedro server to block. When the timeout expires (without the client consuming more notifications), the client is disconnected and all its subscriptions removed. The timeout is currently set to 1 second.

Consequently, when writing a client program, it would be best to consume notifications as soon as they arrive.

This timeout is also used when a client is trying to connect. If the handshake is not completed within this time, the client will be disconnected.

Note that, although dealing with open networks was not a design concern for Pedro, we believe the above defenses against DOS would allow Pedro to work in such environments.