Failed ssl authentication metric

[r-caamano]

I would like to put in a request for an api endpoint to monitor the number of failed ssl api session authentication events during a time interval with the purpose of detecting ddos attacks against the OpenZiti Controller.

[qrkourier]

Hey @r-caamano! The authentication rate limiter is enabled by default. Does it meet your needs?

https://github.com/openziti/ziti/blob/release-next/CHANGELOG.md#auth-rate-limiter

[r-caamano]

The idea here is to give a ddos tool insight as to whether the controller is under attack and have the OS firewall block any tls session requests from sources that have not already authenticated at least once. The issue arises as to whether the above limiter protects the controller enough when it is hit by millions of authentication requests or does it still have waist process cycles denying them? If the answer is the controller has to waist CPU resources denying the requests to the point it becomes impaired. Then I would say that it does not meet the need. cc @mikegorman-nf