You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Andrii Petruchek <ap...@gmail.com> on 2019/07/17 04:46:50 UTC

Rate limit TLS handshake requests

Hello,

I have Kafka cluster deployed into Kubernetes. And I have several
producers/consumers that are deployed in the same kubernetes cluster.

We use TLS between Kafka Brokers and clients.
I noticed that in case if users have the wrong configuration and can't
properly SSL/TLS handshake they are producing a ton of requests. And these
requests impact cluster resource usage: Kafka Brokers CPU is used 95-100%,
request latency is quite big, etc.
So the question is there any way to configure rate limit or throttling for
initial TLS/SSL handshake, or attempts? Of course, we will fix our clients,
but such requests may be used for DDoS attack on the Kafka cluster.
Here is log snippet:
2019-07-16 19:16:15,684 INFO [SocketServer brokerId=1] Failed
authentication with /100.98.90.5 (SSL handshake failed)
(org.apache.kafka.common.network.Selector)
[data-plane-kafka-network-thread-1-ListenerName(CLIENTTLS)-SSL-6]
2019-07-16 19:16:15,685 INFO [SocketServer brokerId=1] Failed
authentication with /100.101.247.126 (SSL handshake failed)
(org.apache.kafka.common.network.Selector)
[data-plane-kafka-network-thread-1-ListenerName(CLIENTTLS)-SSL-6]
2019-07-16 19:16:15,685 INFO [SocketServer brokerId=1] Failed
authentication with /100.101.247.126 (SSL handshake failed)
(org.apache.kafka.common.network.Selector)
[data-plane-kafka-network-thread-1-ListenerName(CLIENTTLS)-SSL-6]
2019-07-16 19:16:15,685 INFO [SocketServer brokerId=1] Failed
authentication with /100.98.90.5 (SSL handshake failed)
(org.apache.kafka.common.network.Selector)
[data-plane-kafka-network-thread-1-ListenerName(CLIENTTLS)-SSL-6]
2019-07-16 19:16:15,688 INFO [SocketServer brokerId=1] Failed
authentication with /100.107.135.16 (SSL handshake failed)

--
Andrii