[Opensim-dev] Rate Limit DOS Protection

R.Gunther rigun at rigutech.nl
Tue Oct 8 13:05:14 UTC 2013 

Does this class the same as what i ever tried with apache.
With apache it worked, but as soon you used groups and the DDOS apaceh 
filter where set too low it got jammed and stuck.
But if you set it to high the use is possible zero. Not saying its 
useless. But maby good to understand how it works or to what its looking.
Helps also for people to tune the setting riht if the want to use it. 
Especially group chat can be seen as ddos.

On 2013-10-08 14:52, Melanie wrote:
> I'm worried that people with larger installations will see service failures because legit traffic is seen as abusive. This could cause issues for the lerger grids out there. I don't believe that whatever tenuous protection this may offer for small grids and standalones outwieghs the potential service impairment it may cause for unsuspecting larger grids. Not every grid operator reads this list,
>
> So I'd again suggest that we stick to the way we've always done it and make the default for new features be "off".
>
> Melanie
>
> On 8 Oct 2013, at 09:31, Teravus Ovares <teravus at gmail.com> wrote:
>
> I understand what you're saying.      It's hard to argue to leave
> people unprotected from attacks, though.    I'm certainly open to
> making the defaults less protective, and, I'm concerned enough about
> it that I'd prefer to leave some protection in place there.
>
> What are your thoughts on that?
>
> Best Regards
>
> Teravus
>
> On Tue, Oct 8, 2013 at 12:41 AM, Melanie <melanie at t-data.com> wrote:
>> Hi,
>>
>> in keeping with our SOP, the defaults provided should be emulating
>> the previous behavior, e.g. NO rate limiting.
>>
>> I would much appreciate if that procedure would be adhered to,
>> unless we vote to abandon it. Users could suffer because they don't
>> expect the default config to change on them.
>>
>> Cheers,
>>
>> Melanie
>>
>> On 08/10/2013 05:42, Teravus Ovares wrote:
>>> Hi there,
>>>
>>> I just wanted to inform -dev that I added some rate limiting DOS
>>> protection classes to use to protect your opensim based services from
>>> rapid calling.      At the moment, this will be most noticeable in the
>>> Login Service.    I have, both as an example, and good practice,
>>> applied the Rate limit protection to the login service.    There are
>>> new Configuration options in StandaloneCommon.ini and Robust.ini that
>>> control how the connections are rate limited and if trusts the
>>> X-Forwarded-For header.    Just for the sake of getting something up
>>> there, I set the defaults to something sane, however they may not work
>>> for everyone, so it may be wise to take a look at the new
>>> configuration options in the [LoginService] section of your
>>> bin/Robust.ini.example and
>>> /bin/config-include/StandaloneCommon.ini.example AND/OR have
>>> discussions on what would be more sane default options.   There's a
>>> chance that this could affect anyone, so don't neglect to take a look
>>> at it.
>>>
>>> You may also notice messages on your console and in your logs like:
>>> 21:56:29 - [LOGINDOSPROTECTION]: client: 192.168.1.213 is blocked for
>>> 120000 milliseconds, X-ForwardedForAllowed status is False,
>>> endpoint:192.168.1.213
>>>
>>> This is an example of the DOS Protection blocking a connection because
>>> the client went beyond the rate limit.
>>>
>>> The rate limit is defined by X requests in Y period of time and is
>>> implemented in a rolling Y fashion.   It also has a 'forget' period of
>>> time that will unblock the blocked user.
>>>
>>> At this point, there's one implemented for XMLRPC handlers, one for
>>> GenericHTTPHandlers and a base class for StreamHandlers based on
>>> BaseStreamHandler.
>>>
>>> If you are interested in the code changes, you can check the diff:
>>> http://opensimulator.org/viewgit/?a=commitdiff&p=opensim&h=f76cc6036ebf446553ee5201321879538dafe3b2
>>>
>>> There's still more to do, and, here's a start to providing some
>>> modicum of protection on the services.
>>>
>>> If you have any questions, feel free to reply and ask..  or send me an
>>> e-mail personally.
>>>
>>> Thanks and Best Regards
>>>
>>> Teravus
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>

More information about the Opensim-dev mailing list