Open Stack

On Wed, 2013-05-22 at 12:37 +0100, David Chadwick wrote:
> Two reasons
> 
> 1. I think that some of your arguments (like long pw) were really 
> unauthenticated not authenticated user arguments which can be used by 
> any attackers, and
> 
> 2. I think that a cloud service that offers free services to anyone with 
> any email address is not really an authenticated user service, its more 
> like a public service for everyone, where everyone is allowed to go back 
> to their own specific stake in the cloud. So the users have not been 
> identified and authenticated in any real sense.  Its an OpenID, level of 
> assurance =1, type of service, where all the cloud can be assured of, is 
> that is it probably the same user every time, but it has no idea of who 
> this user is.

In both cases you can throttle either by IP or by user name.
I bet there are many other expensive operations a user can perform.
If there is no throttling a user can simply perform N more operations to
reach the same load on keystone.
Unless there is some form of throttling you cannot really defend to this
kind of DoS attacks.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York