edtanous
commented
4 years ago Today, there is no connection flooding prevention. The naive hope in bmcweb is that by keeping the HttpConnection object small (memory wise), and using async methods everywhere, the damage that can be done is limited to only what the kernel allows, which should prevent permanent dos attacks, but definitely would make the bmc unavailable during the flooding. Ideally we'd implement something like fail2ban (which is unfortunately written in python) that can integrate with some firewall, and simply block IPs that are doing nefarious things for a period of time.
joseph-reynolds
What defenses does BMCWeb have against connection flooding? That is, repeatedly creating a connection via TCP port 433 (HTTPS) and then dropping that connection quickly without further using it, specifically without attempting authentication. Is this something BMCWeb can handle or is it better addressed by a firewall (such as a BMC Kernel-based firewall that rate limits connections from specific IP addresses)?