[Twisted-Python] connectionMade, TLS and DoS protection timeouts

Tobias Oberstein tobias.oberstein at tavendo.de
Wed Feb 29 03:56:23 EST 2012

> > I was wondering how I could protect a Twisted server from evil clients
> > initiating, but never completing a TLS handshake.
> >
> > connectionMade is only called when the TLS handshake has completed, right?
> >
> > When doing listenSSL, is there a hook which is fired right after the
> > TCP handshake is complete, before the TLS handshake begins, so that I
> > can setup a callLater/dropConnection timeout?
> >
> > This is the piece I am missing, since for TCP-level protection (Syn
> > floods etc), I can use kernel parameters / kernel packet filtering,
> > and for app-level protection (I do WebSockets .. which also has a handshake) I
> can timeout that.
> >
> > I like to do above without requiring a frontend TLS terminator / firewall ..
> One thing to do (perhaps the easiest) is, instead of listenSSL, doing listenTCP
> and then startTLS in the protocol's connectionMade. This would let you set a
> timeout that calls abortConnection in connectionMade.

Thanks! That sounds reasonable and easy enough.

Also thanks for pointing to abortConnection() .. which is also a good thing in the context of DoS protection ..


More information about the Twisted-Python mailing list