Without doubt the biggest management headache I have with ASSP is the SSL/TLS DDoS feature.
When SSL fails, for whatever reason: Aug-14-19 14:48:09 [Worker_2] Error: Worker_2 accept_SSL to client 111.222.333.444 failed IO::Socket::SSL=GLOB(0x1089bb828) (timeout: 5 s) : SSL accept attempt failed because of handshake problems error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown All subsequent secure connection attempts from that IP address are blocked for the next 12 hours: Aug-14-19 14:48:09 [Worker_2] Error: Worker_2 accept_SSL to client 111.222.333.444 denied - the client failed before on SSL/TLS The TLS/SSL DDoS mitigation feature is great...but this causes huge headaches for me when I have an office full of people, and ONE client PC (phone, fax machine, whatever) misbehaves. The result is that it locks out the entire office from being able to send email for 12 hours. You can imagine the angry calls I get. This happens once or twice a week. Sometimes the misbehaving SMTP client is intermittent, and we are NEVER able to find out which one it is. I can put the client's IP into noBanFailedSSLIP, but this is a temporary fix - because most of the clients are on connections which have dynamically assigned IP addresses, and the next time their router renegotiates, they get a new IP address and are blocked once again. What I'd love to see is a "client must have failed x number of times in a row before being blocked" parameter. That would stop a big DDoS attack, but a successful SSL/TLS negotiation would reset the counter, so that we don't have an IP representing 40 users being blocked because of a misbehaving fax machine. _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
