* Jan Urbański (wulczer(at)wulczer(dot)org) wrote:
> On 04/11/10 14:09, Robert Haas wrote:
> > Hmm, I wonder how useful this is given that restriction.
> As KaiGai mentined, it's more to make bruteforcing difficult (read: tmie
> consuming), right?
Which it would still do, since the attacker would be bumping up against
max_connections. max_connections would be a DOS point, but that's no
different from today. Other things could be put in place to address
that (max # of connections from a given IP or range could be implemented
using iptables, as an example).
5 second delay w/ max connections at 100 would mean max of 20 attempts
per second, no? That's alot fewer than 100*(however many attempts can
be done in a second). Doing a stupid while true; psql -d blah; done
managed to get 50 successful ident auths+no-db-found errors done in a
second on one box here. 5000 >> 20, and I wasn't even trying.
In response to
pgsql-hackers by date
|Next:||From: Tom Lane||Date: 2010-11-04 13:49:41|
|Subject: Re: why does plperl cache functions using just a bool for is_trigger |
|Previous:||From: Robert Haas||Date: 2010-11-04 13:16:45|
|Subject: Re: Comparison with "true" in source code|