[Date Prev][Date Next] [Chronological] [Thread] [Top]

Protecting a slapd Server from Excessive Client Queries

I looked at the slapd.conf directives (e.g., sizelimit, timelimit,
conn_max_pending, conn_max_auth, conn_max_pending_auth,
sockbuf_max_incoming, sockbuf_max_incoming_auth, limits (size and time),
etc.) and it seems like conn_max_pending and conn_max_auth might be
worth a try.  I agree with Howard Chu's and Kurt's idea of creating a
"protective layer" around slapd which performs some form of rate
limiting on clients.  Not being familiar with the slapd code, are there
any recommendations as to where and how I would set up such a
"protective layer" to monitor for unusual or unexpected client behavior?
Or has somebody already written something like this?

NOTE: Howard Chu said, "It would be pretty simple to write an overlay
that records the IP addresses of incoming search requests and does some
form of rate limiting on them, rejecting/failing requests once a certain
number of outstanding requests has been reached."

Ken R. 

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Kurt D.
Sent: Wednesday, February 08, 2006 6:09 PM
To: Ramseyer, Ken
Cc: OpenLDAP-software@OpenLDAP.org
Subject: Re: Protecting a slapd Server from Excessive Client Queries

One other feature which may be of interest to you is the 'limits'
slapd.conf(5) directive.

I note that, in general, it is very difficult to stop a client from
denying service, whether by normal course of events or otherwise, to
other clients.  I believe concerns in this area are better addressed
through use of authentication (e.g., know your clients) and monitoring
for unusual and/or unexpected behaviors. 
My primary reason for this belief is my realization that policy
restrictions intended to mitigate denial-of-service issues often have
the opposite impact in reality.


At 11:34 AM 2/8/2006, Ramseyer, Ken wrote:
>I am trying to protect against a client that has somehow ended up in an

>infinite loop with no sleep or delay, and this client is calling 
>ldap_search thousands of times a second.  Just one unruly or demanding 
>client can adversely affect service to all other clients.
>Is there a way to configure slapd to prevent a single connection from 
>consuming less than half of the thread pool, or any other resources 
>(e.g., CPU, socket connections, etc.)?
>Ken R.
>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
>[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
>Sent: Tuesday, February 07, 2006 6:34 PM
>To: Kurt D. Zeilenga
>Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
>Subject: Re: Protecting a slapd Server from Excessive Client Queries
>Kurt D. Zeilenga wrote:
>> At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
>>> Can OpenLDAP (slapd) be protected from a runaway client process that

>>> repeatedly calls ldap_search thousands of times a second?
>> IIRC, slapd(8) will attempt to prevent a single connection to consume

>> more than half thread pool.  Of course, client which consumes half 
>> the
>> thread pool for even short periods of time can adversely affect 
>> service to other clients.
>> Beyond this, no other slapd(8) features come to mind.
>And of course, a moderately powerful machine can easily service 
>thousands of searches per second. So the other question is, what are 
>you really trying to protect against?
>  -- Howard Chu
>  Chief Architect, Symas Corp.  http://www.symas.com
>  Director, Highland Sun        http://highlandsun.com/hyc
>  OpenLDAP Core Team            http://www.openldap.org/project/