[
https://issues.apache.org/jira/browse/QPID-8369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16947288#comment-16947288
]
Robert Godfrey commented on QPID-8369:
--------------------------------------
bq. Obviously, the rule will limit only AMQP connections. If malicious user
would try to perform DOS attack, the rule would be applied on finishing of
authentication stage. Thus, before the authentication any number of TCP
connections can be created. I am wondering whether a similar limits can be
applied to IP or domain addresses in order to restrict the number of TCP
connections which can be open from given host or domain address. Thus, if
IP/domain address check is performed immediately after opening of TCP
connection, it would eliminate the need to wait for applying the limit for
connection principal, if IP/domain address limit is breached. Thus, such
breaching connection would be closed immediately and might save some host
resources. I am not sure whether adding such check make sense. Perhaps, it
should be a responsibility of some proxy/gateway sitting in front of the broker
instance. What do you think?
I think that if protection against deliberate DoS attacks is desired, this
should be implemented elsewhere in a gateway / hardware device. I do not think
it makes sense to re-implement this functionality in the Broker (particularly
as the very act of handling the connection and then determining that it should
be denied will in itself take resources, and so would still leave the broker
vulnerable to such a deliberate attack).
> [Broker-J] Limit number of connections per user
> -----------------------------------------------
>
> Key: QPID-8369
> URL: https://issues.apache.org/jira/browse/QPID-8369
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Tomas Vavricka
> Priority: Major
> Labels: connection, limit, user
> Fix For: qpid-java-broker-8.0.0
>
> Attachments:
> 0001-QPID-8369-Broker-J-WIP-Add-connection-limit-support-.patch
>
>
> There is only limit for number of connections per amqp/amqps port.
> If some user creates too much connections, he can prevent other users from
> connecting to amqp ports.
> Qpid Broker-J should support some limitation for connections per user.
> Broker should also support limitation of number of created connections per
> time frame ex: create 60 connections per one minute at maximum
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
