Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update frang documentation #1741

Closed
RomanBelozerov opened this issue Nov 4, 2022 · 2 comments
Closed

update frang documentation #1741

RomanBelozerov opened this issue Nov 4, 2022 · 2 comments
Assignees
@krizhanovsky
Labels
doc
Milestone
0.7 - HTTP/2

Comments

@RomanBelozerov
Copy link
Contributor

Motivation

Please, add more information to frang documentation on working with ip_block and block_action directives.
Also, for the block_action directive I don't understand what event will call 'frang' with ip_block on\off. I think, it's "attack", but it's not written.

For example:
what should client receive on 3rd connection?

  1. ip_block off; connection_burst 2; block_action attack reply; - 403 or not?
  2. ip_block off; connection_burst 2; block_action attack drop; - none?
  3. ip_block on; connection_burst 2; block_action attack drop; - none?
  4. ip_block on; connection_burst 2; block_action attack reply; - three 403 responses?

Documentation

https://github.com/tempesta-tech/tempesta/wiki/HTTP-security
@krizhanovsky
Copy link
Contributor

krizhanovsky commented Nov 10, 2022
edited
Loading

TODO from #1649 :

  1. document that Frang remembers bursts only for 1.5 seconds
  2. connection-level limits can not be used with block_action attack reply
  3. discuss reasonable limits (e.g. burst of 6 connections/s and concurrent connections)
  4. RST in case of 2 pipelined malicious requests and ip_block off; http_ct_vals text/*; block_action attack reply; config. It does make sense to reset a malicious connection and do not spend resources on it
  5. Basically ip_block on; block_action attack reply; is a misconfiguration: Frang limits immediately call the filter blocking on IP layer and the HTTP layer will just put an HTTP response to the socket send buffer, which hung forever.

A new issue #1751 is created to avoid (5) and reset connections on the filter.c layer.

@krizhanovsky krizhanovsky mentioned this issue Nov 11, 2022
Closed
@krizhanovsky
Copy link
Contributor

@RomanBelozerov I updated the page https://github.com/tempesta-tech/tempesta/wiki/HTTP-security - please review whether it is clear and answers all the questions.

Answers to the 4 questions above according to the new doc and #1751:

  1. ip_block off; connection_burst 2; block_action attack reply; - 403 or not?

Connection is just reset (RST), so no any responses - there is nowhere to send the response

  1. ip_block off; connection_burst 2; block_action attack drop; - none?

The same, just reset connection

  1. ip_block on; connection_burst 2; block_action attack drop; - none?

Connection reset and the IP is blocked.

  1. ip_block on; connection_burst 2; block_action attack reply; - three 403 responses?

Connection reset and the IP is blocked. Nothing is sent to the client

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@krizhanovsky krizhanovsky

Labels
doc
Projects
None yet
Milestone
0.7 - HTTP/2
Development

No branches or pull requests
2 participants
@krizhanovsky @RomanBelozerov