Closed
Bug 67707
Opened 24 years ago
Closed 23 years ago
bugzilla DoS
Categories
(Bugzilla :: Bugzilla-General, enhancement)
Bugzilla
Bugzilla-General
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: rkotalampi, Assigned: barnboy)
References
()
Details
Attachments
(1 file)
(deleted),
patch
|
Details | Diff | Splinter Review |
Every now and then some idiot hits bugzilla with search engine, recursive
queries, or something that follows all links on previous page. This is causing
bunch of simultaneous hits to the database, and eventually load goes very high
(I have seen 40-50).
So far what I have done is to look who is the bad guy and blocked their access
in Apache to bugzilla. But could this be something that bugzilla would track?
For example bugzilla could record every hit it's getting from each IP
and:
if($hits_last_minute{"$ip"} > $limit){
reject_access();
}
Comment 1•24 years ago
|
||
Hmm, this sounds familiar, eh, Dawn?
Comment 2•24 years ago
|
||
oooh, lookie this!
http://www.snert.com/Software/Throttle/
maybe its just a matter of reconfiguring apache.
Comment 3•24 years ago
|
||
You can probably throttle bugzilla with only a few connections though
unfortunately, so to "solve" the problem would likely impact on normal usage.
This may be desirable in some cases.
Comment 4•24 years ago
|
||
ThrottleClientIP size policy limit period
Context: server
Specify the size of the client IP address list and the global policy to be
applied to all incoming connections based on information recorded for a client
IP address. The policy Concurrent is ignored.
When the list size is greater than zero, then throttling by client IP
address is enabled (the default is zero). Requests from a client IP address can
be tracked for a short period of time and subject to the policy specified. The
period of time that a client IP address is tracked depends on the size of the
client IP address list, which is ordered most recent request to oldest. Every
time a new client IP address connects, the oldest entry in the list is lost and
reassigned to the new client IP address. Every time an existing entry makes a
request, it is moved to the top of the list.
Request
Impose a limit on the number of requests per period. When this limit is exceeded
all further requests are refused until the elapsed time exceeds the period
length, at which point the elapsed time and counters are reset.
Updated•24 years ago
|
Target Milestone: --- → Future
Comment 5•24 years ago
|
||
minor alteration to the summary to make the subject more obvious. Moving to 2.14
since this is a security issue and b.m.o has already been nailed by it at least
once. Although it may just be a documentation issue because it looks like a lot
of it is browser-specific configuration.
Summary: bugzilla DOS → bugzilla DoS
Target Milestone: Future → Bugzilla 2.14
Reporter | ||
Comment 7•23 years ago
|
||
mod_throttle is implemented in the new bugilla.mozilla.org that went to
production 4/13/01.
Assignee | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 8•23 years ago
|
||
I have not yet documented this procedure in the Guide.
I will work on it this weekend.
Comment 10•23 years ago
|
||
Assignee | ||
Comment 12•23 years ago
|
||
Reviewed and checked in. Had to fix a couple of errors with broken syntax, but
otherwise leaving as-is. Resolving as soon as I check in.
Status: NEW → ASSIGNED
Assignee | ||
Comment 13•23 years ago
|
||
Documented, checked in. Would be nice to have non-apache directions for this,
as well.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 14•23 years ago
|
||
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•