-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.13, 4.12, 4.11, 4.14
-
Important
-
No
-
1
-
OSDOCS Sprint 247, OSDOCS Sprint 248
-
2
-
False
-
-
N/A
-
Release Note Not Required
Description of problem:
Our documentation states that some route annotations provide "basic protection against distributed denial-of-service (DDoS) attacks". That statement is false. Those annotations provide basic protection against DOS (denial of service) but not DDoS (DISTRIBUTED denial of service). And the reason is very simple: Those annotations impose limits to concurrent connections, connection rate or request rate TO THE SAME SOURCE IP, so if the DOS (denial of service) is distributed (DDoS), limiting individual IPs does nothing, because each individual source can be under the limits imposed by these annotations yet there is an attack due to the big number of clients. These annotations only protect against individual clients trying to abuse alone, not an abuse consisting of having too many clients (which is the definition of DDoS).
Version-Release number of selected component (if applicable):
All the OCP versions
How reproducible:
Always
Steps to Reproduce:
1. Read the docs 2. 3.
Actual results:
Wrong docs
Expected results:
Good docs
Additional info:
It is quite urgent to clarify this, as the statements about DDoS may create false expectations in our user base.