The nginx reverse proxy we use blocks ridicilous start and rows values https://github.com/o19s/solr_nginx
Another silly thing I've noticed is you can pass sleep() as a function query. It's not documented, but I think a big hole. I wonder if I could DoS your Solr by sleeping and hogging all the available query threads? http://grepcode.com/file/repo1.maven.org/maven2/org.apache.solr/solr-core/4.3.0/org/apache/solr/search/ValueSourceParser.java#114 On Mon, Sep 21, 2015 at 1:37 PM, Jürgen Wagner (DVT) < juergen.wag...@devoteam.com> wrote: > Hi Bill, > the classical way would be to have a reverse proxy in front of the > application that catches such cases. A decent reverse proxy or even > application firewall router will allow you to define limits on bandwidth > and sessions per time unit. Some even recognize specific denial-of-service > patterns. > > Of course, you could also simply limit the ranges of parameters accepted > over the Internet - unless these wild ranges may actually occur in valid > scenarios. > > A bit more complex is the third alternative that requires valid sessions > and permits paging only in one or the other direction. This way, start and > offset values would not be exposed, only functions for next page/previous > page or maybe some larger steps would be supported. Stepping to one offset > would also only be permitted if you come from a proper previous page. > Initial requests (in new sessions) would have to start at offset 1. > Constraints on the parameters in subsequent requests within a session are a > bit harder to handle. > > Cheers, > --Jürgen > > On 21.09.2015 19:28, William Bell wrote: > > We have some Denial of service attacks on our web site. SOLR threads are > going crazy. > > Basically someone is hitting start=150000 + and rows=20. The start is crazy > large. > > And then they jump around. start=150000 then start=213030 etc. > > Any ideas for how to stop this besides blocking these IPs? > > Sometimes it is Google doing it even though these search results are set > with No-index and No-Follow on these pages. > > Thoughts? Ideas? > > Thanks > > > > Mit freundlichen Grüßen/Kind regards/Cordialement vôtre/Atentamente/С > уважением > > *i.A. Jürgen Wagner* > Head of Competence Center "Intelligence" > & Senior Cloud Consultant > > DevoteThem GmbH, Industriestr. 3, 70565 Stuttgart, Germany > Phone: +49 6151 868-8725, Fax: +49 711 13353-53, Mobile: +49 171 864 1543 > E-Mail: juergen.wag...@devoteam.com, URL: www.devoteam.de > ------------------------------ > Managing Board: Jürgen Hatzipantelis (CEO) > Address of Record: 64331 Weiterstadt, Germany; Commercial Register: > Amtsgericht Darmstadt HRB 6450; Tax Number: DE 172 993 071 > > > > -- *Doug Turnbull **| *Search Relevance Consultant | OpenSource Connections <http://opensourceconnections.com>, LLC | 240.476.9983 Author: Relevant Search <http://manning.com/turnbull> This e-mail and all contents, including attachments, is considered to be Company Confidential unless explicitly stated otherwise, regardless of whether attachments are marked as such.
