[jboss-as7-dev] A simple timed cache?
Darran Lofthouse
darran.lofthouse at jboss.com
Tue Sep 6 13:37:35 EDT 2011
Yes I agree that is also a risk but I will be starting a separate
discussion on that one.
On 09/06/2011 06:01 PM, Lincoln Baxter, III wrote:
> Closing off remote connections when the server "believes" it is under
> attack is dangerous. This opens up new routes for Denial of Service
> attacks.
>
> On Tue, Sep 6, 2011 at 11:54 AM, Darran Lofthouse
> <darran.lofthouse at jboss.com <mailto:darran.lofthouse at jboss.com>> wrote:
>
> On 09/06/2011 02:50 PM, Sanne Grinovero wrote:
> >>>
> >>> Depending on your needs it might not suite you: LIRS provides a
> >>> bounded container, so it might drop some values even if the timeout
> >>> was not reached.
> >>
> >> Thanks Sanne, that is probably not going to meet what I need -
> one thing I
> >> am looking at is better tracking of failed authentication
> attempts so I
> >> wouldn't want someone to be able to force an item out by causing
> additional
> >> entries to be added.
> >>
> >
> > I really don't know about your plans, but having a limit in the
> amount
> > of entries the cache will be able to hold is generally a good idea.
>
> Yes in that case I would probably look at an option to just stop
> accepting remote connection attempts if it appears the server is really
> under attack - I will start a separate discussion on how people believe
> that should behave.
>
> > A malicious user could otherwise find a pattern to fill the memory of
> > the AS by sending the appropriate (failing) authentication attempts,
> > maybe from multiple users.
> >
> > Sanne
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org <mailto:jboss-as7-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
>
>
> --
> Lincoln Baxter, III
> http://ocpsoft.com
> http://scrumshark.com
> "Keep it Simple"
More information about the jboss-as7-dev
mailing list