httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 33123] New: - Limit number of Connections by ClientHost/IP
Date Sun, 16 Jan 2005 17:03:13 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33123>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=33123

           Summary: Limit number of Connections by ClientHost/IP
           Product: Apache httpd-2.0
           Version: 2.0.52
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: All
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: hsunke@web.de


Hello,

at the moment, its very easy to keep small/medium webservers unavailable to the 
world by just running hundreds of processes on a single machine, which each keep 
one connection to the webserver alive. These processes just have to open a tcp-
socket to the server and try to read rom it...so wait for nothing. Wehn the 
server says Timeout after (default) 300 seconds, the concerned process closes 
the socket and opens a new one.
Running enough of these processes to even use many (200+) of the apaches 
connection queue-places (ListenBackLog) prevents any other client from issuing 
his HTTP request and getting an answer bevor Apache timeout or user to loose his 
patience. Settin up a higher ListenBackLog so makes no sense. Setting op mor 
MaxClients does, but it does also consume more RAM...
The above described "attack" consumes a bandwith between 1 and 3 KByte/sec.

I found things about SYN-Flood, but I think this is something very different.
Ok, if you know howto, you can prevent this single attacker machine by IPTABLE 
etc. but tahts no real solution. With DynIP (like in Germany), you just 
reconnect your internet and get a new Address.

Maybe a Directive for limiting the amount of connections for each ClientIP could 
help?

greets,

Holger

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message