[email protected] said: > On Tue, Jul 27, 2010 at 6:30 PM, Martin Lucina <[email protected]> wrote: > > > These days this kind of thing is generally out of the control of the > > application and handled by administrators using firewall rules. > > Uhm, firewalls are obviously necessary defense for certain kinds of > attack, but they generally can't handle clients that send malformed > requests indicating infection or hostile intent. > > A smart HTTP server checks for known attacks (proxy probes, invalid > paths, SQL injections, over-long requests, too many concurrent > requests) and adds such clients' IP addresses to a black list. It > does not continue to accept them, that would pollute logs. It cannot > get firewall assistance for this.
Interesting, I've not actually seen a HTTP server that implements the functionality you describe. What you are describing is more along the lines of an IDS coupled with a stateful firewall. > Any Internet scale service using 0MQ is going to have to be able to > temporarily or permanently reject incoming connections on random > criteria. > > Trivial example: 0MQ XREQ client that makes endless new connections to > a 0MQ XREP server, specifying new identities each time. Server > crashes. Firewall looks on in amusement. Stateful firewall of 2010 != what you are thinking. You can define connection rates per minute, manipulate rules automatically if you so wish. I'm not saying that 0MQ one day may not have some minimum of the functionality you're describing, but 0MQ sockets being at the layer they are in terms of the network stack most of what you're describing is really a OS/admin/IDS/firewall job and not 0MQ's job. -mato _______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
