I guess we would have to figure out how to detect if a client is bad. In my
example, if a connection is dropped and that IP address is sent to the
blacklist, then you would never let that IP address back in? Seems a little
extreme to me. I might need to know more about your program I guess.
On 6/22/07, Rodrigo Madera <[EMAIL PROTECTED]> wrote:
In my application I need something like this.
If the clients are detected to be "bad", then they will be sent to the
blacklist.
This would be a great plus for MINA.
Regards,
Rodrigo
On 6/22/07, Mark Webb <[EMAIL PROTECTED]> wrote:
>
> This is what I was thinking. I will create a JIRA entry and add this
code
> in....
>
> --START--------------------------------------------
> import java.net.InetSocketAddress;
> import java.net.SocketAddress;
>
> import org.apache.mina.common.IoFilterAdapter;
> import org.apache.mina.common.IoSession;
> import org.apache.mina.util.ExpiringMap;
> import org.apache.mina.util.SessionLog;
>
> public class ConnThrottleFilter extends IoFilterAdapter {
> private static final long DEFAULT_TIME = 1000;
> private long waitTime;
> private final ExpiringMap<String,Long> clients;
>
> public ConnThrottleFilter() {
> this( DEFAULT_TIME );
> }
>
> public ConnThrottleFilter( long millis ){
> this.waitTime = millis;
> clients = new ExpiringMap<String,Long>(60);
> }
>
> public void setWaitTime(long waitTime) {
> this.waitTime = waitTime;
> }
>
> private synchronized boolean isConnectionOk( IoSession session ){
> SocketAddress remoteAddress = session.getRemoteAddress();
> if( remoteAddress instanceof InetSocketAddress )
> {
> long now = System.currentTimeMillis();
> InetSocketAddress addr = (InetSocketAddress)remoteAddress;
> String host = addr.getAddress().getHostAddress();
> if( clients.containsKey(host)){
> Long time = clients.get(host);
> if( (now-time) > waitTime ){
> return false;
> }
> } else {
> clients.put( addr.getAddress().getHostAddress(), now );
> return true;
> }
> }
>
> return false;
> }
>
> @Override
> public void sessionCreated(NextFilter nextFilter, IoSession session)
> throws Exception {
> if( ! isConnectionOk(session)){
> SessionLog.info( session, "Connections coming in too fast;
> closing." );
> session.close();
> }
> }
> }
> --END--------------------------------------------------------
>
> On 6/22/07, Norman Maurer <[EMAIL PROTECTED]> wrote:
> >
> > Hi Mat,
> >
> > it depends on your protocol. You should think about how many connects
> are
> > asspected ;-)
> >
> > bye
> > Norman
> >
> > On Fri, 22 Jun 2007 15:15:29 +0800, mat <[EMAIL PROTECTED]>
> wrote:
> > > Can you give some idea what the configured time could be?
> > >
> > > On 6/22/07, Norman Maurer <[EMAIL PROTECTED]> wrote:
> > >>
> > >> You could write a IOFilter which limit the connections per Ip in a
> > >> configured time. I did the same in a project for limiting the
> > > connections
> > >> per time on a smtpserver.
> > >>
> > >> Bye
> > >> Norman
> > >>
> > >>
> > >> On Fri, 22 Jun 2007 14:16:53 +0800, mat <[EMAIL PROTECTED]>
> > > wrote:
> > >> > Thanks. My concern is what if some clients write a loop keep
> opening
> > >> socket
> > >> > connection and my server keeps accepting and eventually mina core
> > will
> > >> > reject any new connections. Is that possible to happen? Correct
me
> if
> > > i
> > >> am
> > >> > wrong,
> > >> >
> > >> > On 6/22/07, 凌晨 <[EMAIL PROTECTED]> wrote:
> > >> >>
> > >> >> Dear mat:
> > >> >> I think you should implement your own handler to detect this
> kind
> > > of
> > >> >> connections from time to time then kill them all.
> > >> >> You send some detecting packets to these connected connetions,no
> > >> >> response,no connection.
> > >> >> Best Wishes
> > >> >>
> > >> >> ----- Original Message -----
> > >> >> From: "Mark Webb" <[EMAIL PROTECTED]>
> > >> >> To: <dev@mina.apache.org>
> > >> >> Sent: Friday, June 22, 2007 8:56 AM
> > >> >> Subject: Re: malicious client
> > >> >>
> > >> >>
> > >> >> > maybe a variant of the throttle filter which only allows one
> > >> > connection
> > >> >> per
> > >> >> > IP at a time.
> > >> >> >
> > >> >> > On 6/21/07, mat <[EMAIL PROTECTED]> wrote:
> > >> >> >>
> > >> >> >> Thanks. But how should I set the TIMEOUT since the malicious
> > >> >> client could
> > >> >> >> connect by programming a loop, couldn't he?
> > >> >> >>
> > >> >> >> 2007/6/21, Mark Webb <[EMAIL PROTECTED]>:
> > >> >> >> >
> > >> >> >> > an IoFilter could probably work. This is related to the
> filter
> > >> > work
> > >> >> >> that
> > >> >> >> > was discussed a while back that dealt with heartbeats.
> > >> >> >> >
> > >> >> >> > On 6/21/07, Julien Vermillard <[EMAIL PROTECTED]>
wrote:
> > >> >> >> > >
> > >> >> >> > > On Thu, 21 Jun 2007 20:46:55 +0800
> > >> >> >> > > mat <[EMAIL PROTECTED]> wrote:
> > >> >> >> > >
> > >> >> >> > > > I wonder whether any function could prevent Mina from a
> > >> > malicious
> > >> >> >> > > > client attacking by opening connections and not sending
> any
> > >> > data.
> > >> >> If
> > >> >> >> > > > NOT, how could I do? Thanks.
> > >> >> >> > >
> > >> >> >> > > Hi,
> > >> >> >> > >
> > >> >> >> > > Just detect IDLEness, in your IoHandler sessionIdle.
> > >> >> >> > > If a client doesn't send enought data, close it.
> > >> >> >> > >
> > >> >> >> > > HTH
> > >> >> >> > >
> > >> >> >> > > Julien
> > >> >> >> > >
> > >> >> >> >
> > >> >> >> >
> > >> >> >> >
> > >> >> >> > --
> > >> >> >> > ..Cheers
> > >> >> >> > Mark
> > >> >> >> >
> > >> >> >>
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > --
> > >> >> > ..Cheers
> > >> >> > Mark
> > >> >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> > > !DSPAM:1,467b7764240371295747258!
> > >
> > >
> >
> >
>
>
> --
> ..Cheers
> Mark
>
--
..Cheers
Mark
