| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
| Cc: | Michael Banck <mbanck(at)gmx(dot)net>, Tomas Vondra <tomas(dot)vondra(at)enterprisedb(dot)com>, Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers(at)lists(dot)postgresql(dot)org, 成之焕 <zhcheng(at)ceresdata(dot)com> |
| Subject: | Re: [PATCH] Exponential backoff for auth_delay |
| Date: | 2024-03-06 18:24:01 |
| Message-ID: | CAOYmi+koiMd58P=k_S7wsLw17chw5g2Y8kc6MHzoOqOOZ9KXdA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Mar 6, 2024 at 8:10 AM Nathan Bossart <nathandbossart(at)gmail(dot)com> wrote:
> Assuming you are referring to the case where we run out of free slots in
> acr_array, I'm not sure I see that as desirable behavior. Once you run out
> of slots, all failed authentication attempts are now subject to the maximum
> delay, which is arguably a denial-of-service scenario, albeit not a
> particularly worrisome one.
Maybe I've misunderstood the attack vector, but I thought the point of
the feature was to deny service when the server is under attack. If we
don't deny service, what does the feature do?
And I may have introduced a red herring in talking about the number of
hosts, because an attacker operating from a single host is under no
obligation to actually wait for the authentication delay. Once we hit
some short timeout, we can safely assume the password is wrong,
abandon the request, and open up a new connection. It seems like the
thing limiting our attack is the number of connection slots, not
MAX_CONN_RECORDS. Am I missing something crucial?
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2024-03-06 18:28:20 | Re: Statistics Import and Export |
| Previous Message | Alvaro Herrera | 2024-03-06 18:22:46 | Re: [EXTERNAL] Re: Add non-blocking version of PQcancel |