[Twisted-Python] connectionMade, TLS and DoS protection timeouts
itamar at itamarst.org
Tue Feb 28 21:04:12 EST 2012
On 02/28/2012 06:42 PM, Tobias Oberstein wrote:
> I was wondering how I could protect a Twisted server from evil clients initiating,
> but never completing a TLS handshake.
> connectionMade is only called when the TLS handshake has completed, right?
> When doing listenSSL, is there a hook which is fired right after the TCP handshake is
> complete, before the TLS handshake begins, so that I can setup a callLater/dropConnection
> This is the piece I am missing, since for TCP-level protection (Syn floods etc), I can
> use kernel parameters / kernel packet filtering, and for app-level protection
> (I do WebSockets .. which also has a handshake) I can timeout that.
> I like to do above without requiring a frontend TLS terminator / firewall ..
One thing to do (perhaps the easiest) is, instead of listenSSL, doing
listenTCP and then startTLS in the protocol's connectionMade. This would
let you set a timeout that calls abortConnection in connectionMade.
More information about the Twisted-Python