From 5fc6a745346517d1321b2e0b7ee0f6b7f88db5bd Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Mon, 12 Oct 2009 01:13:20 -0700
Subject: DEPLOY: update with notes on DoS potential

---
 DEPLOY | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'DEPLOY')

diff --git a/DEPLOY b/DEPLOY
index 95526e2..e04ef56 100644
--- a/DEPLOY
+++ b/DEPLOY
@@ -27,3 +27,16 @@ processing of the request body as it is being uploaded.
 
 In this case, haproxy or any similar (non-request-body-buffering) load
 balancer should be used to balance requests between different machines.
+
+== Denial-of-Service Concerns
+
+Since \Rainbows! is designed to talk to slow clients with long-held
+connections, it may be subject to brute force denial-of-service attacks.
+In Unicorn and Mongrel, we've already enabled the "httpready" accept
+filter for FreeBSD and the TCP_DEFER_ACCEPT option in Linux; but it is
+still possible to build clients that work around and fool these
+mechanisms.
+
+\Rainbows! itself does not feature any explicit protection against brute
+force denial-of-service attacks.  We believe this is best handled by
+dedicated firewalls provided by the operating system.
-- 
cgit v1.2.3-24-ge0c7