Henrik Nordstrom writes:
>This is to force ident_lookup ident lookups to be closed when the client
>connection is closed / aborted. If this isn't done then any user
>(allowed or not) can easily create a serious DOS situation when
>ident_lookup is on by sending unauthorized/bogous requests while
>blocking their ident port.
I can think of many DOS attacks with ident, not just this one.
I think its a risk the cache admin takes when the enable this
option. Much better ways of authentication exist, so I don't think
we need to bend-over backwards making this one work ideally.
For example, I would rather have an 'ident_timeout' option with
a small default, like 10 seconds.
>It looks like wee need some acl->client_side interface for ident
>lookups.. This would solve all these issues: best effort for
>ident_lookup on, no more odd code for blocking requests in client_side
>waiting for a ident lookup and a clean method for blocking ACL
>processing on ident lookups without accidently initiating more than one
>ident lookup.
perhaps.
I wonder if it would also work to have ACL-only ident lookups, but
with a keyword like "ANY" so that if the lookup fails the request
is still processed. That would really simplify things too.
Duane W.
Received on Tue Jul 29 2003 - 13:15:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:02 MST