Hi, On Fri, Jun 24, 2022 at 01:15:05PM +0200, Arne Schwabe wrote: > > *This* patch won't apply anymore, but Arne said "we're now much faster > > in replying to packets than ever before" so we might indeed need a > > per-source-ip rate-limiter, to something like "10 per 10 seconds" or > > so (inventing arbitrary number that should be more than enough even > > for "5 users behind the same NAT reconnect at the same time", while > > at the same time too low to cause harm as a reflector) for the > > initial reply. > > Yeah. Keeping a per IP table is adding a lot of state to manage that. > Maybe instead to a (configurable) overall limit like 100/s?
This would permit an attacker sending 1000 packets/s to an openvpn server
to drown out 90% of all legitimate connection requests from everyone
else...
So while I see your argument about "please do not introduce state again,
we just got rid of it", I'm not convinced we can get away so easily ;-)
OTOH, 100/s inside OpenVPN, and good documentation how to offload the
state to iptables... can we teach iptables to recognize CLIENT_RESET
(or whatever they are) packets - only - and apply per-source rate-limiting
there? iptables seems to be quite good at doing this for TCP SYNs
already...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
