Rate limiting Kerberos Requests
Frank Cusack
frank at linetwo.net
Wed Sep 26 00:56:55 EDT 2012
On Tue, Sep 25, 2012 at 2:02 PM, Jack Neely <jjneely at ncsu.edu> wrote:
> My network engineers tell me that the firewall in one DC had 8000
> concurrent connections from the offending IP address to the KDCs and
> 4000 in the second DC. (Oddly, the DC with only 1 slave.) The KDCs
> weren't able to handle other requests until the spike settled.
>
Well then, that's the place where you should apply a limit.
iptables -A INPUT -p tcp --dport 88 -m limit --limit 4/min --limit-burst
> 6 -j ACCEPT
> iptables -A INPUT p tcp --dport 88 -j DROP
>
The problem with a rule like that is that the attack succeeds: you are
dropping arbitrary requests from arbitrary users. It's the exact same
effect as just letting the server get overwhelmed.
Another problem is that you are limiting TCP whereas Kerberos will use
UDP. UDP plays havoc with firewalls, and as Russ points out, that's where
the problem is likely to really lie. 8000 concurrent "connections" from
one host is symptomatic of a firewall problem.
More information about the Kerberos
mailing list