httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r369829 - /httpd/httpd/trunk/docs/manual/misc/security_tips.xml
Date Tue, 17 Jan 2006 16:14:53 GMT
Author: rpluem
Date: Tue Jan 17 08:14:49 2006
New Revision: 369829

* Removed patch again as it clashed with Joshua's on the same topic


Modified: httpd/httpd/trunk/docs/manual/misc/security_tips.xml
--- httpd/httpd/trunk/docs/manual/misc/security_tips.xml (original)
+++ httpd/httpd/trunk/docs/manual/misc/security_tips.xml Tue Jan 17 08:14:49 2006
@@ -398,58 +398,5 @@
-  <section id="timeoutsettings">
-    <title>Mitigate the risk of DoS attacks</title>
-    <p>DoS attacks on systems that assign one thread / process to a client
-    connection for the duration of the connection are a general problem and well
-    known for a long time. Not only httpd is affected by this problem, but also
-    several other servers of different vendors, e.g. smtp servers, pop3 servers,
-    application servers.</p>
-    <p>Usual approaches to mitigate this risk are</p>
-    <ol>
-        <li>Set a timeout value for the network operations, such that the
-        connection gets canceled if no data is transmitted on this connection
-        within the timeout period.</li>
-        <li>Limit the number of simultaneous connections that can be made from
-        one IP. Of course this is no help against DDoS.</li>
-    </ol>
-    <p>Mapping this back to the Apache httpd server 1. can be reached by
-    lowering the value of the parameters
-    <directive module="core">Timeout</directive> and
-    <directive module="core">KeepAliveTimeout</directive>. A value that should
-    work for most sites not using long running CGI scripts is between 5 and 10.
-    Some sites even turn off the keepalives completely, which has of course other
-    drawbacks on performance.</p>
-    <p>2. can be reached by either limiting this on firewall / OS level or by
-    using 3rd party httpd modules that limit the number of simultaneous
-    connections from one IP.</p>
-    <p>Since httpd 2.2.0 the risk of tying httpd processes / threads in request
-    reads can be further limited by the use of accept filters via the directive 
-    <directive module="core">AcceptFilter</directive>. These are currently only
-    available on Linux and FreeBSD systems. The protection by the FreeBSD accept
-    filters is better than by Linux's more primitive TCP_DEFER_ACCEPT. For more
-    details see the link above.</p>
-    <p>Another approach to mitigate this risk is to decouple the fixed one
-    thread / process to one client connection assignment and change it to an
-    event driven modell, that assigns threads / processes to the connection
-    only when there is data available to process. During the time where there
-    is no data available the client connections do not block a thread / process
-    but are only watched by one common event thread for new data to arrive via
-    system calls like poll. This is currently work in progress on the trunk
-    (development branch of httpd). It might be part of the next stable major
-    release (2.4 or 3.0). Parts of this are already available as the
-    experimental event MPM in httpd 2.2.x (see <module>event</module>).</p>
-  </section>

View raw message