...

Kafka network threads are mainly responsible for establishing connections with clients and other brokers, performing authentication with them, receiving Kafka protocol requests and responses, and for sending out Kafka protocol requests and responses. Performing authentication is one of the most expensive operation performed in the network thread, so much so that it could end up saturating them, preventing from getting any useful work from being done. Given this, a misconfigured application trying to connect with incorrect (or stale) credentials could cause a denial of service like situation. To help mitigate this issue, this KIP proposes to introduce a way of delaying response to a failed authentication. This will also help with the case of a malicious application trying a brute force password attack.

Public Interfaces

This KIP proposes to add a new broker configuration connection.failed.authentication.delay.ms which specifies the amount of time (in milliseconds) to delay a failed authentication response and subsequent socket disconnection by. In general, this must be configured to be lower than request.timeout.ms.

...