[jboss-as7-dev] A simple timed cache?
Lincoln Baxter, III
lincolnbaxter at gmail.com
Tue Sep 6 13:01:27 EDT 2011
Closing off remote connections when the server "believes" it is under attack
is dangerous. This opens up new routes for Denial of Service attacks.
On Tue, Sep 6, 2011 at 11:54 AM, Darran Lofthouse <
darran.lofthouse at jboss.com> wrote:
> On 09/06/2011 02:50 PM, Sanne Grinovero wrote:
> >>>
> >>> Depending on your needs it might not suite you: LIRS provides a
> >>> bounded container, so it might drop some values even if the timeout
> >>> was not reached.
> >>
> >> Thanks Sanne, that is probably not going to meet what I need - one thing
> I
> >> am looking at is better tracking of failed authentication attempts so I
> >> wouldn't want someone to be able to force an item out by causing
> additional
> >> entries to be added.
> >>
> >
> > I really don't know about your plans, but having a limit in the amount
> > of entries the cache will be able to hold is generally a good idea.
>
> Yes in that case I would probably look at an option to just stop
> accepting remote connection attempts if it appears the server is really
> under attack - I will start a separate discussion on how people believe
> that should behave.
>
> > A malicious user could otherwise find a pattern to fill the memory of
> > the AS by sending the appropriate (failing) authentication attempts,
> > maybe from multiple users.
> >
> > Sanne
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
--
Lincoln Baxter, III
http://ocpsoft.com
http://scrumshark.com
"Keep it Simple"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-as7-dev/attachments/20110906/2ef05205/attachment.html
More information about the jboss-as7-dev
mailing list