[rabbitmq-discuss] Forcing headers on incoming commands

Mike Keen mkeen.atl at gmail.com
Tue Dec 28 02:26:04 GMT 2010


Hello,

I'm part of a small group working on a realtime social game powered by
RabbitMQ/STOMP and run on Flash clients in the browser.

We've run into some security concerns related to exposing our STOMP port to
the public. Specifically, we've noticed that without the "exclusive: true"
header in an initial subscription (even to an anonymous queue), and the
socket is dropped before the client sends a clean disconnect, the queues
remain open for a pretty long time (at least a few minutes). This has lead
to the concern that an attacker might be able to create any number of queues
that could hang around and waste memory, or even lead to memory being
exhausted.

Two questions considering the above:

1) Is it possible to set, through the config file, to force queue.exclusive
= true on every new queue creation on the server?

2) Is this a legitimate security concern? Or would a massive number of
queues (all bound to a topic exchange) not be enough to cause performance
issues?

Thanks in advance for your help.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20101227/1f2c0c21/attachment.htm>


More information about the rabbitmq-discuss mailing list