We expose cxf webservice endpoints through Apache Camel to our clients. Upon receiving the request, we authenticate and authorise. Our client has come up with a requirement that when a authentication or authorisation fails then we should not return any response to the client. Basically we let it timeout because we don’t want to give a perception to the client that they have crossed into our firewall and were being authenticated.
But then its possible to exploit this for denial of service attack where we could have 100k or more requests waiting to be timed out.
Is there any approach to handle these cases like either terminating client connection from webserver or camel or forcing request to timeout ?
Aucun commentaire:
Enregistrer un commentaire