Hello, I have Kafka cluster deployed into Kubernetes. And I have several producers/consumers that are deployed in the same kubernetes cluster.
We use TLS between Kafka Brokers and clients. I noticed that in case if users have the wrong configuration and can't properly SSL/TLS handshake they are producing a ton of requests. And these requests impact cluster resource usage: Kafka Brokers CPU is used 95-100%, request latency is quite big, etc. So the question is there any way to configure rate limit or throttling for initial TLS/SSL handshake, or attempts? Of course, we will fix our clients, but such requests may be used for DDoS attack on the Kafka cluster. Here is log snippet: 2019-07-16 19:16:15,684 INFO [SocketServer brokerId=1] Failed authentication with /100.98.90.5 (SSL handshake failed) (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-1-ListenerName(CLIENTTLS)-SSL-6] 2019-07-16 19:16:15,685 INFO [SocketServer brokerId=1] Failed authentication with /100.101.247.126 (SSL handshake failed) (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-1-ListenerName(CLIENTTLS)-SSL-6] 2019-07-16 19:16:15,685 INFO [SocketServer brokerId=1] Failed authentication with /100.101.247.126 (SSL handshake failed) (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-1-ListenerName(CLIENTTLS)-SSL-6] 2019-07-16 19:16:15,685 INFO [SocketServer brokerId=1] Failed authentication with /100.98.90.5 (SSL handshake failed) (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-1-ListenerName(CLIENTTLS)-SSL-6] 2019-07-16 19:16:15,688 INFO [SocketServer brokerId=1] Failed authentication with /100.107.135.16 (SSL handshake failed) -- Andrii
