From 9ba95fe7e1b49486accbb8042cdfb6a5e80c51d4 Mon Sep 17 00:00:00 2001
From: Mike Rylander <mrylander@gmail.com>
Date: Tue, 21 Feb 2023 15:36:46 -0500
Subject: [PATCH] DoS protection release notes

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
---
 docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc

diff --git a/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc b/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc
new file mode 100644
index 0000000000..929c36a3aa
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc
@@ -0,0 +1,10 @@
+== DoS Protection ==
+
+Here we add two ways to protect against denial of service attacks:
+ * Limit concurrent search requests per client IP address
+  ** This helps address issues of accidental spamming from a malfunctioning OPAC workstation, or web crawlers of various types.  The limit is controlled by a global flag called *opac.max_concurrent_search.ip*.  By default there is no limit set.
+ * Limit the global concurrent search requests for the same query
+  ** This helps address both simple and distributed DoS that send the same search request over and over.  The limit is controlled by a global flag called *opac.max_concurrent_search.query*, and defaults to 20.
+
+When a limit is exceeded the client receives an HTTP 429 "Too many requests" response from the web server, and the connection is ended.
+
-- 
2.11.0