If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Status

()

Bugzilla
Bugzilla-General
--
enhancement
RESOLVED FIXED
17 years ago
5 years ago

People

(Reporter: Risto Kotalampi, Assigned: Matthew Barnson)

Tracking

unspecified
Bugzilla 2.14

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

17 years ago
Every now and then some idiot hits bugzilla with search engine, recursive 
queries, or something that follows all links on previous page. This is causing 
bunch of simultaneous hits to the database, and eventually load goes very high 
(I have seen 40-50). 

So far what I have done is to look who is the bad guy and blocked their access 
in Apache to bugzilla. But could this be something that bugzilla would track? 
For example bugzilla could record every hit it's getting from each IP 
and:

if($hits_last_minute{"$ip"} > $limit){
reject_access();
}
Hmm, this sounds familiar, eh, Dawn?

Comment 2

17 years ago
oooh, lookie this!
http://www.snert.com/Software/Throttle/

maybe its just a matter of reconfiguring apache.
You can probably throttle bugzilla with only a few connections though
unfortunately, so to "solve" the problem would likely impact on normal usage. 
This may be desirable in some cases.

Comment 4

17 years ago
ThrottleClientIP size policy limit period
    Context: server
    
    Specify the size of the client IP address list and the global policy to be
applied to all incoming connections based on information recorded for a client
IP address. The policy Concurrent is ignored.
    
    When the list size is greater than zero, then throttling by client IP
address is enabled (the default is zero). Requests from a client IP address can
be tracked for a short period of time and subject to the policy specified. The
period of time that a client IP address is tracked depends on the size of the
client IP address list, which is ordered most recent request to oldest. Every
time a new client IP address connects, the oldest entry in the list is lost and
reassigned to the new client IP address. Every time an existing entry makes a
request, it is moved to the top of the list.


Request
Impose a limit on the number of requests per period. When this limit is exceeded
all further requests are refused until the elapsed time exceeds the period
length, at which point the elapsed time and counters are reset. 
Target Milestone: --- → Future
minor alteration to the summary to make the subject more obvious.  Moving to 2.14 
since this is a security issue and b.m.o has already been nailed by it at least 
once.  Although it may just be a documentation issue because it looks like a lot 
of it is browser-specific configuration.
Summary: bugzilla DOS → bugzilla DoS
Target Milestone: Future → Bugzilla 2.14
-> docboy
Assignee: tara → barnboy
(Reporter)

Comment 7

17 years ago
mod_throttle is implemented in the new bugilla.mozilla.org that went to 
production 4/13/01.
(Assignee)

Updated

17 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 8

16 years ago
I have not yet documented this procedure in the Guide.
I will work on it this weekend.

Comment 9

16 years ago
Working on this...
Assignee: barnboy → zach
Status: ASSIGNED → NEW

Comment 10

16 years ago
Created attachment 45532 [details] [diff] [review]
patch to fix

Comment 11

16 years ago
Back to barnboy for review and checkin.
Assignee: zach → barnboy
(Assignee)

Comment 12

16 years ago
Reviewed and checked in.  Had to fix a couple of errors with broken syntax, but 
otherwise leaving as-is.  Resolving as soon as I check in.
Status: NEW → ASSIGNED
(Assignee)

Comment 13

16 years ago
Documented, checked in.  Would be nice to have non-apache directions for this, 
as well.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.