New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists

Item2572: BlackListPlugin waits too long with banned IP making itself a DOS target

Priority: Normal
Current State: Closed
Released In:
Target Release: n/a
Applies To: Extension
Component: BlackListPlugin
Reported By: KennethLavrsen
Waiting For: Main.KennethLavrsen
Last Change By: KennethLavrsen
BlackListPlugin waits too long with banned IP making itself a DOS target

The current 60 seconds interval is way too long.

It would be better of we could kill the IP at Apache but that requires access to .htaccess and this again means that the Apache must be setup to search the entire directory tree of a Foswiki for .htaccess files. This is a performance killer and should be avoided.

Best compromise is

  • Make sure the plugin handles banned IP early
  • Make sure the plugin does not put up the entire Foswiki machine to generate a beautiful oops message. Instead write a header and crude ugly message to the banned user and die.
  • To slow down site sucking software a small 5 seconds delay should do it and if the script dies in the same kind of time as a normal page view the plugin will not be a DOS attack vector more than any normal topic view.

-- KennethLavrsen - 04 Jan 2010

With .htaccess too slow, what about the plugin maintaining the file in WorkingDir and we use an Include directive in the apache vhost config?

Of course the solution you've just mentioned should be the default to avoid having to mess with Apache.

-- PaulHarvey - 04 Jan 2010

As far as I know an include from a httpd.conf is only loaded when you restart or reload Apache and that we cannot keep on doing.

-- KennethLavrsen - 04 Jan 2010

ItemTemplate edit

Summary BlackListPlugin waits too long with banned IP making itself a DOS target
ReportedBy KennethLavrsen
SVN Range
AppliesTo Extension
Component BlackListPlugin
Priority Normal
CurrentState Closed
WaitingFor KennethLavrsen
Checkins BlackListPlugin:a2db3bed853b
TargetRelease n/a
Topic revision: r3 - 04 Jan 2010, KennethLavrsen - This page was cached on 14 Aug 2018 - 09:50.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy