[zeromq-dev] Fwd: Access control

Pieter Hintjens ph at imatix.com
Tue Jul 27 19:22:31 CEST 2010


On Tue, Jul 27, 2010 at 6:51 PM, Martin Lucina <mato at kotelna.sk> wrote:

> Interesting, I've not actually seen a HTTP server that implements the
> functionality you describe. What you are describing is more along the lines
> of an IDS coupled with a stateful firewall.

Most modern web servers offer ways to filter requests early on and
return error messages before the request actually gets processed or
(worst case) passed to business logic that may not be able to handle
it.  See e.g. http://blog.taragana.com/index.php/archive/nginx-how-to-stop-referrer-spam-with-keyword-filtering/

All web servers of any quality offer IP blocks but they are afaik
configured manually.

Ultramodern (so modern they don't fully exist :-) servers like X5
(www.xitami.com) combine this to do on the fly blacklisting.

>> Any Internet scale service using 0MQ is going to have to be able to
>> temporarily or permanently reject incoming connections on random
>> criteria.
>>
>> Trivial example: 0MQ XREQ client that makes endless new connections to
>> a 0MQ XREP server, specifying new identities each time.  Server
>> crashes.  Firewall looks on in amusement.
>
> Stateful firewall of 2010 != what you are thinking. You can define
> connection rates per minute, manipulate rules automatically if you so wish.

Yes, and this is all useful, but you can't (easily) configure them to
detect application-level attacks.  E.g. someone doing an obvious
dictionary attack on an SMTP server.

> I'm not saying that 0MQ one day may not have some minimum of the
> functionality you're describing, but 0MQ sockets being at the layer they
> are in terms of the network stack most of what you're describing is really
> a OS/admin/IDS/firewall job and not 0MQ's job.

Just sayin, we'll see people try to use 0MQ at Internet scale faster
than you might imagine, and right now such attempts will probably
suffer because they lack necessary protection.

-Pieter



More information about the zeromq-dev mailing list