about summary refs log tree commit homepage
path: root/DEPLOY
diff options
context:
space:
mode:
authorEric Wong <normalperson@yhbt.net>2009-10-12 01:13:20 -0700
committerEric Wong <normalperson@yhbt.net>2009-10-12 01:13:20 -0700
commit5fc6a745346517d1321b2e0b7ee0f6b7f88db5bd (patch)
treef05d5ccbe673c7029eb2597f63dc57ea6278d813 /DEPLOY
parent95bd43f95375c79255016f867b7cc524c6b27db8 (diff)
downloadrainbows-5fc6a745346517d1321b2e0b7ee0f6b7f88db5bd.tar.gz
Diffstat (limited to 'DEPLOY')
-rw-r--r--DEPLOY13
1 files changed, 13 insertions, 0 deletions
diff --git a/DEPLOY b/DEPLOY
index 95526e2..e04ef56 100644
--- a/DEPLOY
+++ b/DEPLOY
@@ -27,3 +27,16 @@ processing of the request body as it is being uploaded.
 
 In this case, haproxy or any similar (non-request-body-buffering) load
 balancer should be used to balance requests between different machines.
+
+== Denial-of-Service Concerns
+
+Since \Rainbows! is designed to talk to slow clients with long-held
+connections, it may be subject to brute force denial-of-service attacks.
+In Unicorn and Mongrel, we've already enabled the "httpready" accept
+filter for FreeBSD and the TCP_DEFER_ACCEPT option in Linux; but it is
+still possible to build clients that work around and fool these
+mechanisms.
+
+\Rainbows! itself does not feature any explicit protection against brute
+force denial-of-service attacks.  We believe this is best handled by
+dedicated firewalls provided by the operating system.