hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2414: Prototype connection attempt throttling

Browse Source 
The RateLimit class stores authentication failure data mapped by the
client IP addresses. The authentication failures are limited
per thread. The limits are still hard-coded and at least the number of
failures should be made configurable.

The simplest, most maintainable and acceptably efficient implementation
for DDoS protection is a thread-local unordered_map. The unwanted
side-effect of "scaling" of the number of allowed authentication failures
is unlikely to be problematic in most use-cases.

As the blocking of a host is only temporary, the behavior differs from the
one in the MariaDB server. This allows the number of failures to be set to
a much lower value negating some of the problems caused by the relatively
simple implementation.
This commit is contained in:
Markus Mäkelä
2019-04-18 16:21:36 +03:00
parent d1ab4fcb89
commit cf86b0cb7e
3 changed files with 77 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
View File

@ -818,6 +818,8 @@ static int gw_read_do_authentication(DCB* dcb, GWBUF* read_buffer, int nbytes_re
{
protocol->protocol_auth_state = MXS_AUTH_STATE_FAILED;
mysql_client_auth_error_handling(dcb, auth_val, next_sequence);
mxb_assert(dcb->session->listener);
dcb->session->listener->mark_auth_as_failed(dcb->remote);
/**
* Close DCB and which will release MYSQL_session
*/