Clayton Barbier · Jul 7

TCP Inbound Adapter Best Practices


Are you aware if inbound TCP adapters are susceptible to any denial of services attacks, and, if so, does InterSystems have any best practices for mitigating them? For example, I wanted to determine if these scenarios were possible and what some good mitigating configurations might be:

  • If Job Per Connection not enabled and Stay Connected is default (set to -1): An unauthorized connection is made to a port, preventing a legitimate incoming connection to send data. Requiring an administrator to manually intervene
  • If Job Per Connection is enabled and Pool Size is default (set to 1): It looks like although 1 listener job is started for an incoming connection, the listener job could spawn an unlimited number of "connection jobs" for subsequent new connections. In this scenario, could an attacker flood a port with new connections and cause resource exhaustion?

I presume configuring certain IPs under "Allowed IP Addresses" is one mitigating configuration.

Thank you for your help and insight!

2 0 0 74
Log in or sign up to continue