[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Server side delay for bad passwords?



Pierangelo Masarati wrote:
Given the current implementation, the delay will keep a thread busy for
its duration.  Your server, under attack, would quickly become
unresponsive for any user.  Probably, your case should be handled
separately, e.g. by writing an overlay that registers a delay for a
given connection and quicly releases the operation, and a background
thread that wakes up when it's time to return errors after the delay.
Nothing dramatic, but definitely needs some development.

A bit trickier than that; it should not immediately release the operation either. Otherwise you can build up quite a long queue of pending Bind responses if they submit multiple Bind requests blindly. I.e., you also need to prevent the connection from accepting more operations while a delay is in effect.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/