[Twisted-Python] connectionMade, TLS and DoS protection timeouts
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Wed Feb 29 09:12:47 EST 2012
On 28 Feb, 11:42 pm, tobias.oberstein at tavendo.de wrote:
>I was wondering how I could protect a Twisted server from evil clients
>initiating,
>but never completing a TLS handshake.
>
>connectionMade is only called when the TLS handshake has completed,
>right?
Actually, this is not right. It's sort of a wart, but connectionMade is
called when the underlying TCP connection is established. The TLS
handshake will always complete at some later time.
One reason we (or at least I) have not yet really tried to change this
is that doing so would make it harder to address just the problem you're
talking about.
Jean-Paul
>When doing listenSSL, is there a hook which is fired right after the
>TCP handshake is
>complete, before the TLS handshake begins, so that I can setup a
>callLater/dropConnection
>timeout?
>
>This is the piece I am missing, since for TCP-level protection (Syn
>floods etc), I can
>use kernel parameters / kernel packet filtering, and for app-level
>protection
>(I do WebSockets .. which also has a handshake) I can timeout that.
>
>I like to do above without requiring a frontend TLS terminator /
>firewall ..
>
>Thanks!
>
>\Tobias
More information about the Twisted-Python
mailing list