Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1354145, added Using a Router Image to Protect Against DDoS Attacks #2564

Merged
merged 1 commit into from
Aug 19, 2016
Merged

Bug 1354145, added Using a Router Image to Protect Against DDoS Attacks #2564

merged 1 commit into from
Aug 19, 2016

Conversation

ahardin-rh
Copy link
Contributor

@ahardin-rh ahardin-rh added this to the Future Release milestone Jul 27, 2016
@ahardin-rh ahardin-rh self-assigned this Jul 27, 2016
@ahardin-rh
Copy link
Contributor Author

@JacobTanenbaum Please review. Also, what are your thoughts on placement? Thanks!

@JacobTanenbaum
Copy link

I think this should be moved to the section "Deploying the default haproxy router". PR openshift/origin#9003 adds an environment variable (ROUTER_SLOWLORIS_TIMEOUT) to toggle defending the system against slow loris like attacks. I am also not sure exactly the best place to mention them but PR openshift/origin#9810 adds the ability to defend routes from various other DDoS type attacks, the annotations on the route affect the routes backend in the router template

@ahardin-rh
Copy link
Contributor Author

@JacobTanenbaum Thanks for your suggestions! I captured the extra information you provided and also moved the content per your comments.

What are the benefits of setting timeout http-request vs. ROUTER_SLOWLORIS_TIMEOUT vs. the outlined HAProxy Template Router Settings? I think it would be helpful to provide a use case for each, or at least provide more clarity as to why a user would choose one method over the other. Thoughts? Thanks again!

JacobTanenbaum
JacobTanenbaum reviewed Aug 2, 2016
View reviewed changes
install_config/install/deploy_router.adoc

|Setting |Description

|`*router.openshift.io/haproxy.DDOS*`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

haproxy.router.openshift.io/rate-limit-connections

@JacobTanenbaum
Copy link

setting the environment variable has the benefit of being part of the router template. The information is captured as part of the routers deployment configuration and does not require a user to hand modify the template.
Hand adding the haproxy setting would require the user to rebuild the router pod and maintain there own router template file with the change.

@ahardin-rh
Copy link
Contributor Author

@JacobTanenbaum Thanks for your comments. This is now updated.

@adellape @tnguyen-rh Please peer review 🙇

tnguyen-rh
tnguyen-rh reviewed Aug 2, 2016
View reviewed changes
install_config/install/deploy_router.adoc

Also, when the environment variable `*ROUTER_SLOWLORIS_TIMEOUT*` is set, it
limits the amount of time a client has to send the whole HTTP request.
Otherwise, HAProxy will shut down the connection.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe redundant in the current context, but i'd conditionalize the last sentence: "Otherwise, ... the connection, if CONDITION."

@tnguyen-rh
Copy link

@ahardin-rh A few stumbling points for me.

@ahardin-rh ahardin-rh force-pushed the dos-attacks branch 2 times, most recently from 4355741 to a2a93aa Compare August 4, 2016 18:04
@ahardin-rh ahardin-rh merged commit d7dba35 into openshift:master Aug 19, 2016
@ahardin-rh
Copy link
Contributor Author

Approved by QE in BZ

@ahardin-rh
Copy link
Contributor Author

[rev_history]
|xref:../install_config/install/deploy_router.adoc#install-config-install-deploy-router[Installing -> Deploying a Router]
|Added a new xref:../install_config/install/deploy_router.adoc#deploy-router-protecting-against-ddos-attack[Protecting Against DDoS Attacks] section.
%

@vikram-redhat vikram-redhat modified the milestones: OCP 3.3 GA, TEMP Oct 7, 2016
@ahardin-rh ahardin-rh deleted the dos-attacks branch November 9, 2017 19:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ahardin-rh ahardin-rh

Labels
branch/enterprise-3.3
Projects
None yet
Milestone
OCP 3.3 GA
Development

Successfully merging this pull request may close these issues.
5 participants
@ahardin-rh @JacobTanenbaum @tnguyen-rh @gaurav-nelson @vikram-redhat