[rabbitmq-discuss] DOS protection
Matthias Radestock
matthias at rabbitmq.com
Mon Jul 8 16:47:09 BST 2013
Carl,
thanks for the answers. A few follow-up questions...
On 08/07/13 16:23, Carl Hörberg wrote:
> On Monday 8 July 2013 at 12:19, Matthias Radestock wrote:
>> - what entities do you want to monitor? You mention channels,
>> consumers and declarations (presumably by that you mean exchanges,
>> queues, and bindings). Any others?
>
> That, plus connection count.
Connection count is bounded by the available file descriptors, for which
you can tune the limit in the O/S. I would have thought that is sufficient.
> A global limit would be sufficient for the time being, just for
> protection, so that the cluster doesn't dies before we can see who
> has done what.
So say rabbit enforced global limits for the numbers of channels,
consumers, exchanges, queues and bindings. How would you go about
picking the limits?
There is nothing wrong with having lots of channels, or lots of
consumers, or lots of exchanges, etc, etc. But if you set upper bounds
on what rabbit can sustain for each one of them, then a rabbit which
encounters mixed usage could still run out of memory.
Furthermore, as you know, in the default configuration messages take up
some residual memory even when paged to disk, which means there is less
memory available for everything. This too makes it hard to choose any
bounds which have a reasonable chance of working w/o being silly low.
Since your main concern is memory exhaustion - and by that presumably
you mean rabbit crashing because it cannot allocate any more memory,
rather than just hitting the memory alarm and blocking publisher -
perhaps a better - simpler and more versatile - behaviour would be for
rabbit to block all channel, consumer and resource declarations when
memory gets *really* tight.
Regards,
Matthias.
More information about the rabbitmq-discuss
mailing list