Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1F4D410DDD for ; Tue, 28 Jan 2014 10:26:13 +0000 (UTC) Received: (qmail 18078 invoked by uid 500); 28 Jan 2014 10:26:12 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 17784 invoked by uid 500); 28 Jan 2014 10:26:12 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 17776 invoked by uid 99); 28 Jan 2014 10:26:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Jan 2014 10:26:11 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ayyagarikiran@gmail.com designates 209.85.192.176 as permitted sender) Received: from [209.85.192.176] (HELO mail-pd0-f176.google.com) (209.85.192.176) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Jan 2014 10:26:06 +0000 Received: by mail-pd0-f176.google.com with SMTP id w10so183880pde.35 for ; Tue, 28 Jan 2014 02:25:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=pASZg3/9ToiKUJfaoF2gujFvKyEv2PhFabf363mHtmc=; b=oWfysvADLr/ti+PoNvMRDokccQPVEKysWnyOdt7FCEnarHsv/mwCf2Wz5w1GbWfOB7 Z5OHZyFG7hRcKAKSi+qW7lILZYweTpiPchvoAm7IXstCewLX+2MBxjZUbs8Pb5gd+vb/ BpJHyGWX1A1Ho/URfXrY5cZ8LOPhnS7Z9WFzcP4IBxNZXAEwehnearDgtB+DUGTm9PZx f64Fv0m5XHi6rV9Mg940JOnXFWPC0SmCk54aei4yb9PMqhVE3cRvEBt8y9TtC9l4jgZA B8zKUWlwI55m44im6tApMOusEIRogGKki6+k7NSp4ewqgRQ3b92b+G2sVqJEs91OvfBs mvaQ== MIME-Version: 1.0 X-Received: by 10.69.2.2 with SMTP id bk2mr645045pbd.75.1390904745651; Tue, 28 Jan 2014 02:25:45 -0800 (PST) Sender: ayyagarikiran@gmail.com Received: by 10.68.127.39 with HTTP; Tue, 28 Jan 2014 02:25:45 -0800 (PST) In-Reply-To: <52E782F0.5010606@crown.de> References: <52E782F0.5010606@crown.de> Date: Tue, 28 Jan 2014 15:55:45 +0530 X-Google-Sender-Auth: dXche00KWYz2UthSBVmxqxfSRKA Message-ID: Subject: Re: intercept LDAP request based on IP address From: Kiran Ayyagari To: "users@directory.apache.org" Content-Type: multipart/alternative; boundary=047d7b5d92f747f4ef04f1053ff1 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b5d92f747f4ef04f1053ff1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Tue, Jan 28, 2014 at 3:44 PM, Ute Schr=F6der wrote: > Hi, > > I am using apacheDS 2.0.0 M15 embedded into my application. I would like > to prevent DoS attacks to the LDAP server by blocking repeated requests > from identical IP addresses. > My first thought was to use an interceptor, but I found that the first > method to be called is the lookup() method, and the > lookupOperationContext does not contain the client's IP address. I get > the IP address in the bind(BindContext) method, but then I have already > spent server capacity to check the username and password in the database > (even if the password is wrong, or the username unknown). > > What is the best way to get to the client's IP address before I make a > database lookup? Is it possible to add a filter to the Mina filter chain > that is used in apacheDS, and if yes, how can I do that? > this is the best way to do take a look at the start() method in LdapServer class, you can add a filter to the IoFilterChainBuilder in there. Let us know if you run into any issues. > Using an external firewall to prevent DoS attacks is not feasible, > unfortunately. > > Thank you for your help, and best regards, > Ute > > > --=20 Kiran Ayyagari http://keydap.com --047d7b5d92f747f4ef04f1053ff1--