<p dir="ltr">Also I might point out that this policy has rarely been adhered in the past, and generally in cases where the practical operations impact is far greater (HG).</p>
<p dir="ltr">Cheers</p>
<div class="gmail_quote">On Oct 8, 2013 2:40 AM, "Teravus Ovares" <<a href="mailto:teravus@gmail.com">teravus@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I understand what you're saying. It's hard to argue to leave<br>
people unprotected from attacks, though. I'm certainly open to<br>
making the defaults less protective, and, I'm concerned enough about<br>
it that I'd prefer to leave some protection in place there.<br>
<br>
What are your thoughts on that?<br>
<br>
Best Regards<br>
<br>
Teravus<br>
<br>
On Tue, Oct 8, 2013 at 12:41 AM, Melanie <<a href="mailto:melanie@t-data.com">melanie@t-data.com</a>> wrote:<br>
> Hi,<br>
><br>
> in keeping with our SOP, the defaults provided should be emulating<br>
> the previous behavior, e.g. NO rate limiting.<br>
><br>
> I would much appreciate if that procedure would be adhered to,<br>
> unless we vote to abandon it. Users could suffer because they don't<br>
> expect the default config to change on them.<br>
><br>
> Cheers,<br>
><br>
> Melanie<br>
><br>
> On 08/10/2013 05:42, Teravus Ovares wrote:<br>
>> Hi there,<br>
>><br>
>> I just wanted to inform -dev that I added some rate limiting DOS<br>
>> protection classes to use to protect your opensim based services from<br>
>> rapid calling. At the moment, this will be most noticeable in the<br>
>> Login Service. I have, both as an example, and good practice,<br>
>> applied the Rate limit protection to the login service. There are<br>
>> new Configuration options in StandaloneCommon.ini and Robust.ini that<br>
>> control how the connections are rate limited and if trusts the<br>
>> X-Forwarded-For header. Just for the sake of getting something up<br>
>> there, I set the defaults to something sane, however they may not work<br>
>> for everyone, so it may be wise to take a look at the new<br>
>> configuration options in the [LoginService] section of your<br>
>> bin/Robust.ini.example and<br>
>> /bin/config-include/StandaloneCommon.ini.example AND/OR have<br>
>> discussions on what would be more sane default options. There's a<br>
>> chance that this could affect anyone, so don't neglect to take a look<br>
>> at it.<br>
>><br>
>> You may also notice messages on your console and in your logs like:<br>
>> 21:56:29 - [LOGINDOSPROTECTION]: client: 192.168.1.213 is blocked for<br>
>> 120000 milliseconds, X-ForwardedForAllowed status is False,<br>
>> endpoint:192.168.1.213<br>
>><br>
>> This is an example of the DOS Protection blocking a connection because<br>
>> the client went beyond the rate limit.<br>
>><br>
>> The rate limit is defined by X requests in Y period of time and is<br>
>> implemented in a rolling Y fashion. It also has a 'forget' period of<br>
>> time that will unblock the blocked user.<br>
>><br>
>> At this point, there's one implemented for XMLRPC handlers, one for<br>
>> GenericHTTPHandlers and a base class for StreamHandlers based on<br>
>> BaseStreamHandler.<br>
>><br>
>> If you are interested in the code changes, you can check the diff:<br>
>> <a href="http://opensimulator.org/viewgit/?a=commitdiff&p=opensim&h=f76cc6036ebf446553ee5201321879538dafe3b2" target="_blank">http://opensimulator.org/viewgit/?a=commitdiff&p=opensim&h=f76cc6036ebf446553ee5201321879538dafe3b2</a><br>
>><br>
>> There's still more to do, and, here's a start to providing some<br>
>> modicum of protection on the services.<br>
>><br>
>> If you have any questions, feel free to reply and ask.. or send me an<br>
>> e-mail personally.<br>
>><br>
>> Thanks and Best Regards<br>
>><br>
>> Teravus<br>
>> _______________________________________________<br>
>> Opensim-dev mailing list<br>
>> <a href="mailto:Opensim-dev@lists.berlios.de">Opensim-dev@lists.berlios.de</a><br>
>> <a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a><br>
>><br>
>><br>
> _______________________________________________<br>
> Opensim-dev mailing list<br>
> <a href="mailto:Opensim-dev@lists.berlios.de">Opensim-dev@lists.berlios.de</a><br>
> <a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a><br>
_______________________________________________<br>
Opensim-dev mailing list<br>
<a href="mailto:Opensim-dev@lists.berlios.de">Opensim-dev@lists.berlios.de</a><br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a><br>
</blockquote></div>