Re: validating client in socket communciation
- From: Nash <jeevs007@xxxxxxxxx>
- Date: Mon, 3 Nov 2008 02:40:12 -0800 (PST)
On Nov 3, 1:49 pm, "Peter Duniho" <NpOeStPe...@xxxxxxxxxxxxxxxx>
wrote:
On Sun, 02 Nov 2008 22:09:52 -0800, Nash <jeevs...@xxxxxxxxx> wrote:
what i ment by invalid is some unauthorized client. if some one knows
the ip and port number where server is listening for incoming
connections, they can write a code to connect to the server right.
I want to prevent it, for that what i thought is every authorized
client will send some valid command with wich server will validate. so
server will always send some data to the authrozied client. but the
problem is the hacker program will not send any command for
authroization so that socket will not be closed at all.
What kind of hacker are you expecting? Will they send _any_ data? If
not, then other than a denial-of-service attack, what would that hacker
expect to accomplish?
is there anyother stragey i should follow to authorize the clients
It really depends on your application protocol. It's entirely possible,
depending on your security needs, that it's sufficient that the client
simply provide valid data. A custom protocol is unlikely to be known by a
hacker, and so they're not going to send valid data.
If you have a custom protocol but data that is sensitive, then
yes...you'll probably want to add a layer of security on top of that.
That way a hacker specifically targeting your server but who is actually
aware of the protocol specifics still won't be able to get data. But, you
should just make the authentication part of the protocol. Any client who
attempts any operation except the authentication step would be dropped.
That then leaves denial-of-service attacks as your main vulnerability.
But that's not something you're going to be able to defend against in your
server. The best you can do there is timeout a connection if there's no
activity after a certain amount of time, but all that does is help the
server clean up from errors, dropped connections, etc.
There's no way to set a timeout that is short enough to deal with DoS and
yet allows a legitimate client to connect. In the server, you could keep
a list of rejected IP addresses (e.g. clients that have been timed out
recently, more than a certain number of times), but a) that may result in
legitimate clients with poor network connections getting wrongly rejected,
and b) you're still going to be limited by how fast your server can reject
connections. DoS attacks are a whole other level of security issue, and
frankly this newsgroup really isn't the best place to learn how to deal
with them.
Pete
Thanks pete for your valuable reply.
I have another question in sockets. my requirement is like a server
that can handle 1 million clients. is it possible to have 1 million
sockets kept open through out or shall the client open the connection
whenever it needs to send data and close it, will there be any
overhead in this process than keeping the connection open forever?
.
- Follow-Ups:
- Re: validating client in socket communciation
- From: Peter Duniho
- Re: validating client in socket communciation
- References:
- Re: validating client in socket communciation
- From: Nash
- Re: validating client in socket communciation
- From: Peter Duniho
- Re: validating client in socket communciation
- Prev by Date: RE: Automatically update Winows .NET Service
- Next by Date: Re: HELP File path confusion in WinForms app
- Previous by thread: Re: validating client in socket communciation
- Next by thread: Re: validating client in socket communciation
- Index(es):
Relevant Pages
|
