Re: contrib: auth_delay module
Jeff Janes <jeff.janes@gmail.com>
From: Jeff Janes <jeff.janes@gmail.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Jan Urbański <wulczer@wulczer.org>, Robert Haas <robertmhaas@gmail.com>, Itagaki Takahiro <itagaki.takahiro@gmail.com>, KaiGai Kohei <kaigai@kaigai.gr.jp>, PostgreSQL-Hackers <pgsql-hackers@postgresql.org>, KaiGai Kohei <kaigai@ak.jp.nec.com>
Date: 2010-11-27T19:44:59Z
Lists: pgsql-hackers
On Thu, Nov 4, 2010 at 6:35 AM, Stephen Frost <sfrost@snowman.net> wrote: > * Jan Urbański (wulczer@wulczer.org) wrote: >> On 04/11/10 14:09, Robert Haas wrote: >> > Hmm, I wonder how useful this is given that restriction. >> >> As KaiGai mentined, it's more to make bruteforcing difficult (read: tmie >> consuming), right? > > Which it would still do, since the attacker would be bumping up against > max_connections. max_connections would be a DOS point, but that's no > different from today. I haven' t thought of a way to test this, so I guess I'll just ask. If the attacking client just waits a few milliseconds for a response and then drops the socket, opening a new one, will the server-side walking-dead process continue to be charged against max_connections until it's sleep expires? Cheers, Jeff