[zeromq-dev] Fwd: Access control

Pieter Hintjens ph at imatix.com
Tue Jul 27 18:41:28 CEST 2010


On Tue, Jul 27, 2010 at 6:30 PM, Martin Lucina <mato at kotelna.sk> wrote:

> These days this kind of thing is generally out of the control of the
> application and handled by administrators using firewall rules.

Uhm, firewalls are obviously necessary defense for certain kinds of
attack, but they generally can't handle clients that send malformed
requests indicating infection or hostile intent.

A smart HTTP server checks for known attacks (proxy probes, invalid
paths, SQL injections, over-long requests, too many concurrent
requests) and adds such clients' IP addresses to a black list.  It
does not continue to accept them, that would pollute logs.  It cannot
get firewall assistance for this.

Any Internet scale service using 0MQ is going to have to be able to
temporarily or permanently reject incoming connections on random
criteria.

Trivial example: 0MQ XREQ client that makes endless new connections to
a 0MQ XREP server, specifying new identities each time.  Server
crashes.  Firewall looks on in amusement.

-Pieter



More information about the zeromq-dev mailing list