Skip to main content.
home | support | download

Back to List Archive

Preventing DOS attack (was: severe swish-e problem (1.3.2) )

From: Bill Moseley <moseley(at)>
Date: Tue Jun 20 2000 - 18:14:13 GMT
At 07:00 AM 06/19/00 -0700, Jose Manuel Ruiz wrote:

>>   - reject short query requests in the CGI script executing the
>>     swish-e program.

>This could be the best one.

I use something like this:

    my $cnt;
    $cnt++ while $query =~ /(?:^|\s)[("]*\S\*/g;

    return 'Please use fewer wild card queries'
        if $cnt > $Max_SingleLetter_Wildcards;

But I've already stripped IgnoreFirst letters off the front of each query
term.  Otherwise the class [("]* should probably include those letters as
well.  And I didn't really spend much time with that regular expression --
so if anyone sees a hole please speak up!

I also limit two letter wildcards, and the total number of wild cards.

The other thing I do to reduce a DOS attack is to limit the amount of time
for each request, and kill off swish at the timeout.  But I'm not sure what
good that would do against someone quickly flooding the server with
wildcard queries.

Signals aren't completely portable so I don't see how a timeout feature
like that could be built into Swish.  Polling the system time seems like a
bad idea.

Bill Moseley
Received on Tue Jun 20 14:20:26 2000