Lyndon Nerenberg wrote:
> 
> >>>>> "Mark" == Mark Murray <[EMAIL PROTECTED]> writes:
> 
>     Mark> o A username may only be checked $number times per
>     Mark> $timeperiod; after that, _all_ answers are silently
>     Mark> converted to "no".
> 
> Umm, massive DOS hole.

Per username.  If you publish your userlist, you're an idiot.  The
daemon should also immediately go into "breakin evasion mode" for 
all invalid usernames, answering the requests very slowly.

>     Mark> o Daemon may only be invoked $number times per $timeperiod;
>     Mark> refuses to fork after that.
> 
> Another massive DOS hole.

Right, this one doesn't fly.

>     Mark> o Daemon will delay $timeperiod before returning answer.
> 
> This is the correct way to deal with (perceived) attacks.

Please, not for a single valid request, or even two.  Let's give the
user the opportunity to login, and perhaps to goober their password
once, before screwing them.

>     Mark> ... etc. There are possibilities for DoS attacks, but the
>     Mark> daemon talks only to a Unix Domain Socket, so finding the
>     Mark> perp is easy.
> 
> Not if the daemon has shut itself off due to load (#1 or #2 above) and you
> aren't currently logged in to the box.

Sure there is, it's called logging.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
[EMAIL PROTECTED]                                           http://softweyr.com/


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to