| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Jan Urbański <wulczer(at)wulczer(dot)org> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, PostgreSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
| Subject: | Re: contrib: auth_delay module |
| Date: | 2010-11-04 13:35:16 |
| Message-ID: | 20101104133516.GN26232@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Jan Urbański (wulczer(at)wulczer(dot)org) wrote:
> On 04/11/10 14:09, Robert Haas wrote:
> > Hmm, I wonder how useful this is given that restriction.
>
> As KaiGai mentined, it's more to make bruteforcing difficult (read: tmie
> consuming), right?
Which it would still do, since the attacker would be bumping up against
max_connections. max_connections would be a DOS point, but that's no
different from today. Other things could be put in place to address
that (max # of connections from a given IP or range could be implemented
using iptables, as an example).
5 second delay w/ max connections at 100 would mean max of 20 attempts
per second, no? That's alot fewer than 100*(however many attempts can
be done in a second). Doing a stupid while true; psql -d blah; done
managed to get 50 successful ident auths+no-db-found errors done in a
second on one box here. 5000 >> 20, and I wasn't even trying.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-11-04 13:49:41 | Re: why does plperl cache functions using just a bool for is_trigger |
| Previous Message | Robert Haas | 2010-11-04 13:16:45 | Re: Comparison with "true" in source code |