Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22472

rate-limit annotations protect against DOS, not DDOS

XMLWordPrintable

    • Important
    • No
    • 1
    • OSDOCS Sprint 247, OSDOCS Sprint 248
    • 2
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

      Description of problem:

      Our documentation states that some route annotations provide "basic protection against distributed denial-of-service (DDoS) attacks".

That statement is false. Those annotations provide basic protection against DOS (denial of service) but not DDoS (DISTRIBUTED denial of service). And the reason is very simple: Those annotations impose limits to concurrent connections, connection rate or request rate TO THE SAME SOURCE IP, so if the DOS (denial of service) is distributed (DDoS), limiting individual IPs does nothing, because each individual source can be under the limits imposed by these annotations yet there is an attack due to the big number of clients.

These annotations only protect against individual clients trying to abuse alone, not an abuse consisting of having too many clients (which is the definition of DDoS).

      Version-Release number of selected component (if applicable):

      All the OCP versions

      How reproducible:

      Always

      Steps to Reproduce:

      1. Read the docs
2.
3.

      Actual results:

      Wrong docs

      Expected results:

      Good docs

      Additional info:

      It is quite urgent to clarify this, as the statements about DDoS may create false expectations in our user base.

       

            kowen@redhat.com Kevin Owen
            rhn-support-palonsor Pablo Alonso Rodriguez
            Shudi Li Shudi Li
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: