Re: ConnectionThrottleFilter

["이희승 (Trustin Lee)" <tr...@gmail.com>]

True.  You made a good point.  What would be the better solution?  I don't  
see any clean solution yet..

On Thu, 24 Apr 2008 08:17:14 +0900, Steve Johns  
<st...@gmail.com> wrote:

> Thanks. but the source code is:
>
> if (clients.containsKey(addr.getAddress().getHostAddress())) {
> }
>
> On Wed, Apr 23, 2008 at 10:09 PM, Cem Uzunlar <ce...@gmail.com>  
> wrote:
>
>> I think Remote Address also includes the port number. People connecting
>> from
>> the same company will have the same IP but different port numbers  
>> assigned
>> by NAT so they will be treated as different addresses.
>>
>> 2008/4/23 Steve Johns <st...@gmail.com>:
>>
>> > Since ConnectionThrottleFilter uses session.getRemoteAddress() to
>> identify
>> > the remote peer, could it be a problem when lots of users in a company
>> > using
>> > a same public IP? If they connect at the "same time".
>> > ConnectionThrottleFilter will block some of them. Right?
>> >
>>



-- 
Trustin Lee - Principal Software Engineer, JBoss, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/

Re: ConnectionThrottleFilter

[Daniel Wirtz <da...@virtunity.com>]

On Thu, May 22, 2008 at 12:51 AM, Steve Johns <st...@gmail.com>
wrote:

> 1) We maybe assume that kind of clients won't connect to server
> at "same" time. However, what about server got restarted with clients
> reconnect at "same" time? Load the connection filter  after server starts
> 10
> mins? ^^


Sounds like a good idea for when your application deals with many clients
reconnecting concurrently. I would also implement it in this manner.


> 2) Never use connection filter and we assume there is no such a malicious
> attack?


Depends on the technichal skills of the "enemies" of your app ;). In
practice without some kind of throttleing, connection attempts that do not
generate any further load may or may not kill the app if they are issued
from one computer only depending on the used internet connections.
However, a distributed attack where many computers participate will kill it
pretty sure.

The filter should not be used with too paranoid settings, though, so that
user experience does not suffer but a basic means of protection is given. If
a botnet of hundreds or even thousands of malicius clients tries to
bring your app down, it will even get it done independet if you use the
filter. For this case, you will need some kind of automatic and
fast-reacting (geographically) distributed cluster that is able to deal with
that.

>From this perspective, the throttle filter can be used to prevent the most
common attacks for medium groups of attacking computers.

regards
Daniel

Re: ConnectionThrottleFilter

[Steve Johns <st...@gmail.com>]

1) We maybe assume that kind of clients won't connect to server
at "same" time. However, what about server got restarted with clients
reconnect at "same" time? Load the connection filter  after server starts 10
mins? ^^
2) Never use connection filter and we assume there is no such a malicious
attack?

On Thu, May 22, 2008 at 5:53 AM, Daniel Wirtz <da...@virtunity.com> wrote:

> 2008/5/21 Steve Johns <st...@gmail.com>:
>
> > Any hardware like firewall does the trick?
>
>
> A hardware firewall will also use the remote address. This is a problem
> caused by the nature of NAT. I also don't see a clean solution to make a
> difference between clients that reside behind a NAT, so the Mina user will
> have to set the throttle filter to a apropriate value that does not block
> "good" NATs but does block "very bad" ips.
>
> regards
> Daniel
>

Re: ConnectionThrottleFilter

[Daniel Wirtz <da...@virtunity.com>]

2008/5/21 Steve Johns <st...@gmail.com>:

> Any hardware like firewall does the trick?


A hardware firewall will also use the remote address. This is a problem
caused by the nature of NAT. I also don't see a clean solution to make a
difference between clients that reside behind a NAT, so the Mina user will
have to set the throttle filter to a apropriate value that does not block
"good" NATs but does block "very bad" ips.

regards
Daniel

Re: ConnectionThrottleFilter

[Steve Johns <st...@gmail.com>]

Any hardware like firewall does the trick?

On Wed, May 14, 2008 at 9:13 AM, 이희승 (Trustin Lee) <tr...@gmail.com>
wrote:

> True.  You made a good point.  What would be the better solution?  I don't
> see any clean solution yet..
>
>
> On Thu, 24 Apr 2008 08:17:14 +0900, Steve Johns <
> steven.mark.johns@gmail.com> wrote:
>
> Thanks. but the source code is:
>>
>> if (clients.containsKey(addr.getAddress().getHostAddress())) {
>> }
>>
>> On Wed, Apr 23, 2008 at 10:09 PM, Cem Uzunlar <ce...@gmail.com>
>> wrote:
>>
>> I think Remote Address also includes the port number. People connecting
>>> from
>>> the same company will have the same IP but different port numbers
>>> assigned
>>> by NAT so they will be treated as different addresses.
>>>
>>> 2008/4/23 Steve Johns <st...@gmail.com>:
>>>
>>> > Since ConnectionThrottleFilter uses session.getRemoteAddress() to
>>> identify
>>> > the remote peer, could it be a problem when lots of users in a company
>>> > using
>>> > a same public IP? If they connect at the "same time".
>>> > ConnectionThrottleFilter will block some of them. Right?
>>> >
>>>
>>>
>
>
> --
> Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
>