[Bug 1078111] Tryton Server: Impact mitigation for DDoS attack
http://bugzilla.suse.com/show_bug.cgi?id=1078111
http://bugzilla.suse.com/show_bug.cgi?id=1078111#c7
--- Comment #7 from Matthias Gerstner
We also have to keep in mind that trytond can run in multiple environment: Linux, BSD and there might be even few people using Windows ; of course this doesn't concern openSUSE but it concerns us.
I understand. This is easily forgotten but I know myself how difficult cross platform development can be. Would you accept a configurable approach? Keep the default as it is but allow users or integrators that run Linux to select a different behaviour that avoids the discussed effect on the databse?
A solution to mitigate the growth of the LoginAttempt table might be to keep track of the IP making the attempt and keeping at most X attempts from the same IP. In fact after some research it seems that it is the solution that drupal chose:
If it works for Drupal then it may be the right thing to do. A quick research suggests there are also some pitfalls here like multiple users sharing the same IP or using proxies to circumvent the protection. Web application design is not exactly my area of expertise, however. I'm sure all of you can work out a solution that addresses both concerns. I think both parties can agree upon that there is an attack surface here but also that it can't be fixed so simply (with regard to the proposed patch). While OS level DoS protection is certainly best practice, an improved implementation would benefit tryton and serve as a defense in depth measure. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com