Closed Bug 67707 Opened 24 years ago Closed 23 years ago

bugzilla DoS

Categories

(Bugzilla :: Bugzilla-General, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 2.14

People

(Reporter: rkotalampi, Assigned: barnboy)

References

()

Details

Attachments

(1 file)

Every now and then some idiot hits bugzilla with search engine, recursive queries, or something that follows all links on previous page. This is causing bunch of simultaneous hits to the database, and eventually load goes very high (I have seen 40-50). So far what I have done is to look who is the bad guy and blocked their access in Apache to bugzilla. But could this be something that bugzilla would track? For example bugzilla could record every hit it's getting from each IP and: if($hits_last_minute{"$ip"} > $limit){ reject_access(); }
Hmm, this sounds familiar, eh, Dawn?
oooh, lookie this! http://www.snert.com/Software/Throttle/ maybe its just a matter of reconfiguring apache.
You can probably throttle bugzilla with only a few connections though unfortunately, so to "solve" the problem would likely impact on normal usage. This may be desirable in some cases.
ThrottleClientIP size policy limit period Context: server Specify the size of the client IP address list and the global policy to be applied to all incoming connections based on information recorded for a client IP address. The policy Concurrent is ignored. When the list size is greater than zero, then throttling by client IP address is enabled (the default is zero). Requests from a client IP address can be tracked for a short period of time and subject to the policy specified. The period of time that a client IP address is tracked depends on the size of the client IP address list, which is ordered most recent request to oldest. Every time a new client IP address connects, the oldest entry in the list is lost and reassigned to the new client IP address. Every time an existing entry makes a request, it is moved to the top of the list. Request Impose a limit on the number of requests per period. When this limit is exceeded all further requests are refused until the elapsed time exceeds the period length, at which point the elapsed time and counters are reset.
Target Milestone: --- → Future
minor alteration to the summary to make the subject more obvious. Moving to 2.14 since this is a security issue and b.m.o has already been nailed by it at least once. Although it may just be a documentation issue because it looks like a lot of it is browser-specific configuration.
Summary: bugzilla DOS → bugzilla DoS
Target Milestone: Future → Bugzilla 2.14
-> docboy
Assignee: tara → barnboy
mod_throttle is implemented in the new bugilla.mozilla.org that went to production 4/13/01.
Status: NEW → ASSIGNED
I have not yet documented this procedure in the Guide. I will work on it this weekend.
Working on this...
Assignee: barnboy → zach
Status: ASSIGNED → NEW
Attached patch patch to fix (deleted) — Splinter Review
Back to barnboy for review and checkin.
Assignee: zach → barnboy
Reviewed and checked in. Had to fix a couple of errors with broken syntax, but otherwise leaving as-is. Resolving as soon as I check in.
Status: NEW → ASSIGNED
Documented, checked in. Would be nice to have non-apache directions for this, as well.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: