Niklas Gustavsson wrote:
On Thu, Nov 6, 2008 at 6:46 PM, Julien Vermillard
<[EMAIL PROTECTED]> wrote:
But if you accept the session (opening) you send all the TCP soup
for opening/accepting the socket connection, and if you close the
session directly you send all the TCP soup for closing the socket
connection. I hardly can imagine it can protect you from any DoS.
That would at least be cheaper than doing the rest of your stuff
(decoding/encoding, bussines logic and so on) , right?
Well, if you are going to drop connections just because you have hundred
(or even thousands) arriving at the same time, then that means your
server is being badly DoSed. Now you have two cases :
- your server is reachable by outsiders : you better have a front system
to deal with such attacks. Whatever you do on MINA side will be far from
enough to protect you. So I tend to think that, in this case, the
connection throttling is absolutely useless.
- your server is only used from a private nertwork. Some wrong process
is pounding your server, and it will make it dies sooner or later.
Again, in this case, I would rather let it die quickly, in order to be
able to react quickly.
Considering that such attacks (or incorrect usage from internal
applications) are impossible to avoid, trying to fix them on the
application layer is like trying to empty the sea with a tea spoon...
So while not
the perfect protection, it is certainly better than nothing.
well, in this very case, doing nothing or something is equivalent. You
are just offering a small margin during which your server will resist,
but I'm not sure it worth the effort.
Of course, IMHO :)
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
