MXS-2414: Prototype connection attempt throttling

The RateLimit class stores authentication failure data mapped by the client IP addresses. The authentication failures are limited per thread. The limits are still hard-coded and at least the number of failures should be made configurable. The simplest, most maintainable and acceptably efficient implementation for DDoS protection is a thread-local unordered_map. The unwanted side-effect of "scaling" of the number of allowed authentication failures is unlikely to be problematic in most use-cases. As the blocking of a host is only temporary, the behavior differs from the one in the MariaDB server. This allows the number of failures to be set to a much lower value negating some of the problems caused by the relatively simple implementation.
2019-04-18 16:21:36 +03:00
parent d1ab4fcb89
commit cf86b0cb7e
3 changed files with 77 additions and 0 deletions
--- a/include/maxscale/listener.hh
+++ b/include/maxscale/listener.hh
@ -186,6 +186,16 @@ public:
        return m_type;
    }

+    /**
+     * Mark authentication as failed
+     *
+     * This updates the number of failures that have occurred from this host. If the number of authentications
+     * exceeds a certain value, any attempts to connect from the remote in quesion will be rejected.
+     *
+     * @param remote The address where the connection originated
+     */
+    void mark_auth_as_failed(const std::string& remote);
+
    // Functions that are temporarily public
    bool          create_listener_config(const char* filename);
    struct users* users() const;