httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Re: Problems w/ deny
Date Tue, 07 Jan 1997 03:05:12 GMT
On Mon, 6 Jan 1997, Ed Korthof wrote:

> I consider this a bug.  Deny from statements are applied only after a request
> has been read.  This means that a remote host can use a very simple denial of
> service attack to completely incapacitate a web server (unless you have a
> firewall you can reconfigure to deny from that specific host).  The remote host
> opens a connection, then never asks for anything.  The connection hangs until
> you hit TimeOut -- the default is 1200 seconds, but even with a low value it's
> possible to kill a server through 10 requests a second which simply hang till
> they timeout.

I think there should be a very small timeout of reading the request +
HTTP headers. I don't see why a server should wait more than a few (~5)
seconds for the basic request info. 

> I'm nearly done w/ a patch to prevent more than a configurable number of
> connections from a single host; it should be done by Wednesday.  Could we
> consider including it in the 1.2 release?

Mmm, there's a lot of features being proposed when we're supposed to be
in bug-fix mode. Can this go in the patches dir instead ?

Adding a reasonable request reading Timeout I'd consider a bugfix, adding
a resource capping system I'd consider a feature.

if it's big, I'll probably veto it with a recommendation it goes in the
patches directory.

Ben, as release manager can you clarify the position on features/fixes
and give us a timetable to aim at. I feel we're losing direction and
momentum.  1.2 final was supposed to be the same as 1.2b1 + fixes.


View raw message