httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ed Korthof" ...@organic.com>
Subject Problems w/ deny
Date Tue, 07 Jan 1997 02:23:05 GMT
I consider this a bug.  Deny from statements are applied only after a request
has been read.  This means that a remote host can use a very simple denial of
service attack to completely incapacitate a web server (unless you have a
firewall you can reconfigure to deny from that specific host).  The remote host
opens a connection, then never asks for anything.  The connection hangs until
you hit TimeOut -- the default is 1200 seconds, but even with a low value it's
possible to kill a server through 10 requests a second which simply hang till
they timeout.

I'm nearly done w/ a patch to prevent more than a configurable number of
connections from a single host; it should be done by Wednesday.  Could we
consider including it in the 1.2 release?  Given that you can't use "deny from
..." to protect from the above DoS attack, we should have some sort of
protection.

-- 
     -- Ed Korthof        |  Web Server Engineer --
     -- ed@organic.com    |  Organic Online, Inc --
     -- (415) 278-5676    |  Fax: (415) 284-6891 --

Mime
View raw message