gustafn
committed
on 24 Jan 23
Adding one more safety belt for potential DOS attacks

For cases, where request blocking is activated (returning 429 status
code for repeate… Show more
Adding one more safety belt for potential DOS attacks

For cases, where request blocking is activated (returning 429 status

code for repeated requests), one more check was added: When such a

block happens more than 15 times in a minute on the same URL from the

same user, more requests for the same URL and user will be blocked

until the minute is over. The user seese the message "This web server

is only open for interactive usage".

Background: While request blocking works well for interactive users,

it might not be sufficient for web clients running wild. Normally,

after a 429, the user can reload the page to receive the content of a

page.  This leads to a sequence of requests of interleaved 200 and 429

status codes, which might be ignored by a bot (or ad DOS attack). When

the requested page is slow, this can bring a server to its knees.

When request blocking is deactivated, this change has no effect.

Show less