proxy: rate limit authentication by masked IPv6. (#7316)

## Problem Many users have access to ipv6 subnets (eg a /64). That gives them 2^64 addresses to play with ## Summary of changes Truncate the address to /64 to reduce the attack surface. Todo: ~~Will NAT64 be an issue here? AFAIU they put the IPv4 address at the end of the IPv6 address. By truncating we will lose all that detail.~~ It's the same problem as a host sharing IPv6 addresses between clients. I don't think it's up to us to solve. If a customer is getting DDoSed, then they likely need to arrange a dedicated IP with us.
2026-06-02 04:50:38 +00:00 · 2024-04-16 15:16:34 +01:00
parent 926662eb7c
commit e5c50bb12b
7 changed files with 118 additions and 66 deletions
--- a/proxy/src/serverless/sql_over_http.rs
+++ b/proxy/src/serverless/sql_over_http.rs
@@ -541,7 +541,9 @@ async fn handle_inner(
    .map_err(SqlOverHttpError::from);

    let authenticate_and_connect = async {
-        let keys = backend.authenticate(ctx, &conn_info).await?;
+        let keys = backend
+            .authenticate(ctx, &config.authentication_config, &conn_info)
+            .await?;
        let client = backend
            .connect_to_compute(ctx, conn_info, keys, !allow_pool)
            .await?;