[rabbitmq-discuss] DOS protection

Matthias Radestock matthias at rabbitmq.com
Mon Jul 8 16:47:09 BST 2013


thanks for the answers. A few follow-up questions...

On 08/07/13 16:23, Carl Hörberg wrote:
> On Monday 8 July 2013 at 12:19, Matthias Radestock wrote:
>> - what entities do you want to monitor? You mention channels,
>> consumers and declarations (presumably by that you mean exchanges,
>> queues, and bindings). Any others?
> That, plus connection count.

Connection count is bounded by the available file descriptors, for which
you can tune the limit in the O/S. I would have thought that is sufficient.

> A global limit would be sufficient for the time being, just for
> protection, so that the cluster doesn't dies before we can see who
> has done what.

So say rabbit enforced global limits for the numbers of channels, 
consumers, exchanges, queues and bindings. How would you go about 
picking the limits?

There is nothing wrong with having lots of channels, or lots of 
consumers, or lots of exchanges, etc, etc. But if you set upper bounds 
on what rabbit can sustain for each one of them, then a rabbit which 
encounters mixed usage could still run out of memory.

Furthermore, as you know, in the default configuration messages take up 
some residual memory even when paged to disk, which means there is less 
memory available for everything. This too makes it hard to choose any 
bounds which have a reasonable chance of working w/o being silly low.

Since your main concern is memory exhaustion - and by that presumably 
you mean rabbit crashing because it cannot allocate any more memory, 
rather than just hitting the memory alarm and blocking publisher - 
perhaps a better - simpler and more versatile - behaviour would be for 
rabbit to block all channel, consumer and resource declarations when 
memory gets *really* tight.



More information about the rabbitmq-discuss mailing list