What about a scenario where port 80 is open on the firewall, and a malicious person is attempting a DDoS on the server listening on port 80?
I do not think all (maybe not any) firewalls can protect against that. On 7/20/07, mat <[EMAIL PROTECTED]> wrote:
Now I wonder whether ConnectionThrottleFilter could be done in most Firewall? On 7/13/07, Mark <[EMAIL PROTECTED]> wrote: > > I like that idea. I also agree with Mat and a firewall *should* handle > the > blacklisting, but defense-in-depth is something I strongly believe in. > > On 7/11/07, Trustin Lee <[EMAIL PROTECTED]> wrote: > > > > On 7/12/07, Mark <[EMAIL PROTECTED]> wrote: > > > Not sure I agree. > > > > > > Blacklisting a host is analogous to a firewall operation in that the > > > administrator of a MINA-based application would determine which hosts > > can > > > connect to the application. The ConnectionThrottleFilter is designed > to > > > block host connections when they try and connect to quickly, like in > the > > > case of a denial-of-service attack. > > > > > > I could understand combining code via a shared parent class. There > was > > talk > > > of even extending the ConnectionThrottleFilter further by keeping a > host > > in > > > the 'block' list for a configurable amount of time. > > > > I think what differs is a policy. If the policy is pre-programmed or > > permanant, it's what BlacklistFilter does. Otherwise, it's what > > ConnectionThrottlefilter is supposed do. Probably we could create > > some generic filter that user can specify a certain policy. For > > example: > > > > ConnectionThrottlePolicy p = ...; > > ConnectionThrottleFilter f = new ConnectionThrottleFilter(p); > > > > Trustin > > -- > > what we call human nature is actually human habit > > -- > > http://gleamynode.net/ > > -- > > PGP Key ID: 0x0255ECA6 > > > > > > -- > ..Cheers > Mark >
-- ..Cheers Mark
