On Tue, Jul 27, 2010 at 10:22 AM, Pieter Hintjens <[email protected]> wrote:
> On Tue, Jul 27, 2010 at 6:51 PM, Martin Lucina <[email protected]> wrote: > > > Interesting, I've not actually seen a HTTP server that implements the > > functionality you describe. What you are describing is more along the > lines > > of an IDS coupled with a stateful firewall. > > Most modern web servers offer ways to filter requests early on and > return error messages before the request actually gets processed or > (worst case) passed to business logic that may not be able to handle > it. See e.g. > http://blog.taragana.com/index.php/archive/nginx-how-to-stop-referrer-spam-with-keyword-filtering/ > > All web servers of any quality offer IP blocks but they are afaik > configured manually. > > Ultramodern (so modern they don't fully exist :-) servers like X5 > (www.xitami.com) combine this to do on the fly blacklisting. > > >> Any Internet scale service using 0MQ is going to have to be able to > >> temporarily or permanently reject incoming connections on random > >> criteria. > >> > >> Trivial example: 0MQ XREQ client that makes endless new connections to > >> a 0MQ XREP server, specifying new identities each time. Server > >> crashes. Firewall looks on in amusement. > > > > Stateful firewall of 2010 != what you are thinking. You can define > > connection rates per minute, manipulate rules automatically if you so > wish. > > Yes, and this is all useful, but you can't (easily) configure them to > detect application-level attacks. E.g. someone doing an obvious > dictionary attack on an SMTP server. > > > I'm not saying that 0MQ one day may not have some minimum of the > > functionality you're describing, but 0MQ sockets being at the layer they > > are in terms of the network stack most of what you're describing is > really > > a OS/admin/IDS/firewall job and not 0MQ's job. > > Just sayin, we'll see people try to use 0MQ at Internet scale faster > than you might imagine, and right now such attempts will probably > suffer because they lack necessary protection. > > +1. Currently we have to bridge our 0MQ traffic over the HTTP or tunnel through SSH when we want to run things over the internet. Quite a pain. Brian > -Pieter > _______________________________________________ > zeromq-dev mailing list > [email protected] > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > -- Brian E. Granger, Ph.D. Assistant Professor of Physics Cal Poly State University, San Luis Obispo [email protected] [email protected]
_______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
