[SAC] [OSGeo] #1678: Relax anti-DOS protection for the SVN service

OSGeoTrac · May 13, 2016, 5:56am

#1678: Relax anti-DOS protection for the SVN service
---------------------------+------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords: dos, svn, apache
---------------------------+------------------------------
It looks like 30 requests within a single second are easy to make when it
comes to fetching SVN code. See postgis:#3553

This ticket is to raise the DOSSiteCount limit a little bit, after
checking that it is really legit to hit that hard, even if it is for an
SVN checkout.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1678>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · May 13, 2016, 6:31am

#1678: Relax anti-DOS protection for the SVN service
------------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: dos, svn, apache |
------------------------------+--------------------

Comment (by strk):

It was found to be DOSPageCount (3) to be the cause of blocking, not
DOSSiteCount (which is 50, btw, not 30): postgis:#3553#comment:6

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1678#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · May 13, 2016, 2:27pm

#1678: Relax anti-DOS protection for the SVN service
------------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: dos, svn, apache |
------------------------------+--------------------

Comment (by wildintellect):

It's reasonable to set the svn limits rather high, since a spammer won't
have commit rights without a project admin manually adding them to the
correct project group. So more than a few hundred hits a minute for all of
the possible options.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1678#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · May 13, 2016, 4:02pm

#1678: Relax anti-DOS protection for the SVN service
------------------------------+--------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: dos, svn, apache |
------------------------------+--------------------

Comment (by strk):

It doesn't take commit access to successfully run a denial-of-service
attack

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1678#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.