This is what I was thinking. I will create a JIRA entry and add this code
in....
--START--------------------------------------------
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import org.apache.mina.common.IoFilterAdapter;
import org.apache.mina.common.IoSession;
import org.apache.mina.util.ExpiringMap;
import org.apache.mina.util.SessionLog;
public class ConnThrottleFilter extends IoFilterAdapter {
private static final long DEFAULT_TIME = 1000;
private long waitTime;
private final ExpiringMap<String,Long> clients;
public ConnThrottleFilter() {
this( DEFAULT_TIME );
}
public ConnThrottleFilter( long millis ){
this.waitTime = millis;
clients = new ExpiringMap<String,Long>(60);
}
public void setWaitTime(long waitTime) {
this.waitTime = waitTime;
}
private synchronized boolean isConnectionOk( IoSession session ){
SocketAddress remoteAddress = session.getRemoteAddress();
if( remoteAddress instanceof InetSocketAddress )
{
long now = System.currentTimeMillis();
InetSocketAddress addr = (InetSocketAddress)remoteAddress;
String host = addr.getAddress().getHostAddress();
if( clients.containsKey(host)){
Long time = clients.get(host);
if( (now-time) > waitTime ){
return false;
}
} else {
clients.put( addr.getAddress().getHostAddress(), now );
return true;
}
}
return false;
}
@Override
public void sessionCreated(NextFilter nextFilter, IoSession session)
throws Exception {
if( ! isConnectionOk(session)){
SessionLog.info( session, "Connections coming in too fast;
closing." );
session.close();
}
}
}
--END--------------------------------------------------------
On 6/22/07, Norman Maurer <[EMAIL PROTECTED]> wrote:
Hi Mat,
it depends on your protocol. You should think about how many connects are
asspected ;-)
bye
Norman
On Fri, 22 Jun 2007 15:15:29 +0800, mat <[EMAIL PROTECTED]> wrote:
> Can you give some idea what the configured time could be?
>
> On 6/22/07, Norman Maurer <[EMAIL PROTECTED]> wrote:
>>
>> You could write a IOFilter which limit the connections per Ip in a
>> configured time. I did the same in a project for limiting the
> connections
>> per time on a smtpserver.
>>
>> Bye
>> Norman
>>
>>
>> On Fri, 22 Jun 2007 14:16:53 +0800, mat <[EMAIL PROTECTED]>
> wrote:
>> > Thanks. My concern is what if some clients write a loop keep opening
>> socket
>> > connection and my server keeps accepting and eventually mina core
will
>> > reject any new connections. Is that possible to happen? Correct me if
> i
>> am
>> > wrong,
>> >
>> > On 6/22/07, 凌晨 <[EMAIL PROTECTED]> wrote:
>> >>
>> >> Dear mat:
>> >> I think you should implement your own handler to detect this kind
> of
>> >> connections from time to time then kill them all.
>> >> You send some detecting packets to these connected connetions,no
>> >> response,no connection.
>> >> Best Wishes
>> >>
>> >> ----- Original Message -----
>> >> From: "Mark Webb" <[EMAIL PROTECTED]>
>> >> To: <[email protected]>
>> >> Sent: Friday, June 22, 2007 8:56 AM
>> >> Subject: Re: malicious client
>> >>
>> >>
>> >> > maybe a variant of the throttle filter which only allows one
>> > connection
>> >> per
>> >> > IP at a time.
>> >> >
>> >> > On 6/21/07, mat <[EMAIL PROTECTED]> wrote:
>> >> >>
>> >> >> Thanks. But how should I set the TIMEOUT since the malicious
>> >> client could
>> >> >> connect by programming a loop, couldn't he?
>> >> >>
>> >> >> 2007/6/21, Mark Webb <[EMAIL PROTECTED]>:
>> >> >> >
>> >> >> > an IoFilter could probably work. This is related to the filter
>> > work
>> >> >> that
>> >> >> > was discussed a while back that dealt with heartbeats.
>> >> >> >
>> >> >> > On 6/21/07, Julien Vermillard <[EMAIL PROTECTED]> wrote:
>> >> >> > >
>> >> >> > > On Thu, 21 Jun 2007 20:46:55 +0800
>> >> >> > > mat <[EMAIL PROTECTED]> wrote:
>> >> >> > >
>> >> >> > > > I wonder whether any function could prevent Mina from a
>> > malicious
>> >> >> > > > client attacking by opening connections and not sending any
>> > data.
>> >> If
>> >> >> > > > NOT, how could I do? Thanks.
>> >> >> > >
>> >> >> > > Hi,
>> >> >> > >
>> >> >> > > Just detect IDLEness, in your IoHandler sessionIdle.
>> >> >> > > If a client doesn't send enought data, close it.
>> >> >> > >
>> >> >> > > HTH
>> >> >> > >
>> >> >> > > Julien
>> >> >> > >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > ..Cheers
>> >> >> > Mark
>> >> >> >
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > ..Cheers
>> >> > Mark
>> >> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>
>
> !DSPAM:1,467b7764240371295747258!
>
>
--
..Cheers
Mark
