[OAI-implementers] Dangers of OAI

Gary McGath gary at hulmail.harvard.edu
Tue Mar 27 08:51:25 EDT 2007

Torsten Schaßan wrote:
> Dear all,
> today in my institution we had a long discussion about the 
> implementation of an OAI interface and the possible dangers of OAI: how 
> to prevent denial-of-service-like numbers of harvester requests?
> What experiences do you have with such things as OAI doesn't have any 
> precaution to prevent something like this? Did you ever experience 
> problems for your servers or are there any measures we could implement 
> and which we have overlooked?

On our server for Virtual Collections (not yet publicly announced, but 
waiting only for a content switch setup), we have some code to delay 
responses by a few seconds if traffic gets too heavy. No more than a 
specified number of requests will be answered in a given time period; 
the others will be queued up.

This is intended mostly to prevent impact on other services which 
involve more direct human interaction, but also has an eye toward 
denial-of-service attacks. If legitimate traffic gets too heavy for 
short periods, that's a friendlier response than 503.

Gary McGath
Digital Library Software Engineer
Harvard University Libraries, Office for Information Systems

More information about the OAI-implementers mailing list