[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections
From: |
Gerd Hoffmann |
Subject: |
Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections |
Date: |
Wed, 15 Oct 2014 16:19:29 +0200 |
Hi,
> > The logic to apply the limit to connections in "connecting" state (this
> > is the state you are in *before* successfull authentication) is
> > slightly different: A new connect kicks out the oldest client which is
> > still in "connecting" state. This avoids a easy DoS by unauthenticated
> > users by simply opening connections until the limit is reached.
>
> I'd suggest that rather than kicking off the oldest client QEMU
> should simply stop calling accept() when it reaches the limit
> of active unauthenticated client connections.
Looks like I need to be a bit more verbose. The DoS I try to prevent is
that anybody can open $limit connections to the vnc server, let them sit
around idle, thereby blocking further connects.
Whenever you stop calling accept or drop the new connection doesn't make
much of a difference.
I try to prevent that by dropping the *oldest* connection, so you have a
chance to connect even if a unprivileged attacker tries to use up all
connection slots.
cheers,
Gerd
- [Qemu-devel] [PATCH 0/6] vnc: add support for multiple vnc server instances., Gerd Hoffmann, 2014/10/15
- [Qemu-devel] [PATCH 5/6] vnc: update docs/multiseat.txt, Gerd Hoffmann, 2014/10/15
- [Qemu-devel] [PATCH 2/6] vnc: remove unused DisplayState parameter, add id instead., Gerd Hoffmann, 2014/10/15
- [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gerd Hoffmann, 2014/10/15
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Daniel P. Berrange, 2014/10/15
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections,
Gerd Hoffmann <=
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Daniel P. Berrange, 2014/10/15
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gerd Hoffmann, 2014/10/16
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gonglei, 2014/10/17
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Daniel P. Berrange, 2014/10/17
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gonglei, 2014/10/17
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gerd Hoffmann, 2014/10/20
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gonglei, 2014/10/21
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gerd Hoffmann, 2014/10/21
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gonglei, 2014/10/21
- Re: [Qemu-devel] [PATCH 6/6] vnc: track & limit connections, Gerd Hoffmann, 2014/10/21