On Fri, 16 Jan 1998, Micha3 Mosiewicz wrote:
> No, no, no! For security reasons, you can't fork (and exec)
> unauthenticated processes. Especially HBA authentication should be done
> to consume as low resources as possbile. Otherwise you open a giant door
> for so infamously called Denial of Service attacks. Afterwards, every
> hacker will know that to bring your system running postgres to it's
> knees he just have to try to connect to 5432 port very frequently. "OK",
> you might say, "I have this firewall". "OK", I say, "so what's that HBA
> for?".
>
> So it's the postmaster's role to deny as much connections as possible.
> Unless we speak of non-execing postgres childs?
Hrmmmm...i don't quite agree with this. postmaster can handle one
connection at a time, and then has to pass it off to the postgres backend
process...DoS attacks are easier now then by forking before HBA. I just have
to continuously open a connection to port 5432...so, while postmaster is
handling that connection, checking HBA, checking a password...no other new
connections can happen. Can't think of a stronger DoS then that...? :)
Marc G. Fournier
Systems Administrator @ hub.org
primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org