From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Jan Urbański <wulczer(at)wulczer(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, PostgreSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
Subject: | Re: contrib: auth_delay module |
Date: | 2010-11-28 13:38:22 |
Message-ID: | AANLkTinBySemtL+fwwPO4eMS5MyQnhakffdUD6M5LeQr@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, Nov 27, 2010 at 2:44 PM, Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:
> On Thu, Nov 4, 2010 at 6:35 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> * Jan Urbański (wulczer(at)wulczer(dot)org) wrote:
>>> On 04/11/10 14:09, Robert Haas wrote:
>>> > Hmm, I wonder how useful this is given that restriction.
>>>
>>> As KaiGai mentined, it's more to make bruteforcing difficult (read: tmie
>>> consuming), right?
>>
>> Which it would still do, since the attacker would be bumping up against
>> max_connections. max_connections would be a DOS point, but that's no
>> different from today.
>
> I haven' t thought of a way to test this, so I guess I'll just ask.
> If the attacking client just waits a few milliseconds for a response
> and then drops the socket, opening a new one, will the server-side
> walking-dead process continue to be charged against max_connections
> until it's sleep expires?
I'm not sure, either. I suspect the answer is yes. I guess you could
test this by writing a loop like this:
while true; do psql <connection parameters that will fail authentication>; done
...and then hitting ^C every few seconds during execution. After
doing that for a bit, run select * from pg_stat_activity or ps auxww |
grep postgres in another window.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2010-11-28 13:43:16 | Re: PROPOSAL of xmlvalidate |
Previous Message | Robert Haas | 2010-11-28 13:06:41 | Re: ALTER OBJECT any_name SET SCHEMA name |