You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Ute Schröder <us...@crown.de> on 2014/01/28 11:14:08 UTC

intercept LDAP request based on IP address

Hi,

I am using apacheDS 2.0.0 M15 embedded into my application. I would like
to prevent DoS attacks to the LDAP server by blocking repeated requests
from identical IP addresses.
My first thought was to use an interceptor, but I found that the first
method to be called is the lookup() method, and the
lookupOperationContext does not contain the client's IP address. I get
the IP address in the bind(BindContext) method, but then I have already
spent server capacity to check the username and password in the database
(even if the password is wrong, or the username unknown).

What is the best way to get to the client's IP address before I make a
database lookup? Is it possible to add a filter to the Mina filter chain
that is used in apacheDS, and if yes, how can I do that?
Using an external firewall to prevent DoS attacks is not feasible,
unfortunately.

Thank you for your help, and best regards,
Ute

Re: intercept LDAP request based on IP address

Posted by Kiran Ayyagari <ka...@apache.org>.

On Tue, Jan 28, 2014 at 3:44 PM, Ute Schröder <us...@crown.de> wrote:

> Hi,
>
> I am using apacheDS 2.0.0 M15 embedded into my application. I would like
> to prevent DoS attacks to the LDAP server by blocking repeated requests
> from identical IP addresses.
> My first thought was to use an interceptor, but I found that the first
> method to be called is the lookup() method, and the
> lookupOperationContext does not contain the client's IP address. I get
> the IP address in the bind(BindContext) method, but then I have already
> spent server capacity to check the username and password in the database
> (even if the password is wrong, or the username unknown).
>
> What is the best way to get to the client's IP address before I make a
> database lookup? Is it possible to add a filter to the Mina filter chain
> that is used in apacheDS, and if yes, how can I do that?
>
this is the best way to do
take a look at the start() method in LdapServer class, you can add a filter
to
the IoFilterChainBuilder in there.

Let us know if you run into any issues.

> Using an external firewall to prevent DoS attacks is not feasible,
> unfortunately.
>
> Thank you for your help, and best regards,
> Ute
>
>
>


-- 
Kiran Ayyagari
http://keydap.com