Does this class the same as what i ever tried with apache.
With apache it worked, but as soon you used groups and the DDOS apaceh
filter where set too low it got jammed and stuck.
But if you set it to high the use is possible zero. Not saying its
useless. But maby good to understand how it works or to what its looking.
Helps also for people to tune the setting riht if the want to use it.
Especially group chat can be seen as ddos.
On 2013-10-08 14:52, Melanie wrote:
I'm worried that people with larger installations will see service failures
because legit traffic is seen as abusive. This could cause issues for the
lerger grids out there. I don't believe that whatever tenuous protection this
may offer for small grids and standalones outwieghs the potential service
impairment it may cause for unsuspecting larger grids. Not every grid operator
reads this list,
So I'd again suggest that we stick to the way we've always done it and make the default
for new features be "off".
Melanie
On 8 Oct 2013, at 09:31, Teravus Ovares <[email protected]> wrote:
I understand what you're saying. It's hard to argue to leave
people unprotected from attacks, though. I'm certainly open to
making the defaults less protective, and, I'm concerned enough about
it that I'd prefer to leave some protection in place there.
What are your thoughts on that?
Best Regards
Teravus
On Tue, Oct 8, 2013 at 12:41 AM, Melanie <[email protected]> wrote:
Hi,
in keeping with our SOP, the defaults provided should be emulating
the previous behavior, e.g. NO rate limiting.
I would much appreciate if that procedure would be adhered to,
unless we vote to abandon it. Users could suffer because they don't
expect the default config to change on them.
Cheers,
Melanie
On 08/10/2013 05:42, Teravus Ovares wrote:
Hi there,
I just wanted to inform -dev that I added some rate limiting DOS
protection classes to use to protect your opensim based services from
rapid calling. At the moment, this will be most noticeable in the
Login Service. I have, both as an example, and good practice,
applied the Rate limit protection to the login service. There are
new Configuration options in StandaloneCommon.ini and Robust.ini that
control how the connections are rate limited and if trusts the
X-Forwarded-For header. Just for the sake of getting something up
there, I set the defaults to something sane, however they may not work
for everyone, so it may be wise to take a look at the new
configuration options in the [LoginService] section of your
bin/Robust.ini.example and
/bin/config-include/StandaloneCommon.ini.example AND/OR have
discussions on what would be more sane default options. There's a
chance that this could affect anyone, so don't neglect to take a look
at it.
You may also notice messages on your console and in your logs like:
21:56:29 - [LOGINDOSPROTECTION]: client: 192.168.1.213 is blocked for
120000 milliseconds, X-ForwardedForAllowed status is False,
endpoint:192.168.1.213
This is an example of the DOS Protection blocking a connection because
the client went beyond the rate limit.
The rate limit is defined by X requests in Y period of time and is
implemented in a rolling Y fashion. It also has a 'forget' period of
time that will unblock the blocked user.
At this point, there's one implemented for XMLRPC handlers, one for
GenericHTTPHandlers and a base class for StreamHandlers based on
BaseStreamHandler.
If you are interested in the code changes, you can check the diff:
http://opensimulator.org/viewgit/?a=commitdiff&p=opensim&h=f76cc6036ebf446553ee5201321879538dafe3b2
There's still more to do, and, here's a start to providing some
modicum of protection on the services.
If you have any questions, feel free to reply and ask.. or send me an
e-mail personally.
Thanks and Best Regards
Teravus
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
