On Sun, Nov 28, 2010 at 7:10 PM, Jeff Janes <jeff.ja...@gmail.com> wrote: > Oh, I wasn't complaining. I think that having max_connections be > charged for the duration even if the socket is dropped is the only > reasonable thing to do, and wanted to verify that it did happen. > Otherwise the module wouldn't do a very good job at its purpose, the > attacker would simply wait a few milliseconds and then assume it got > the wrong password and kill the connection and start new one.
Good point. > Preventing the brute force password attack by shunting it into a DOS > attack instead seems reasonable. OK. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
