httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cliff Skolnick <>
Subject Re: Problems w/ deny
Date Tue, 07 Jan 1997 02:47:29 GMT

The nasty tools that lock up web server use SYN attacks.  Since the SYN
attack takes place before the TCP three way handshake is complete, the
application will not even know about it.  Protecting against SYN attacks
is pretty hard, and even those that say they do actually only make a lame
attempt and stop some but not all.  As for firewalls any good SYN bomb
uses rotating IP source addresses, so not much good.  This is a real 
problem that can not be solved 100%, except by changing TCP.

All the above aside, the idea to limit the number of connections to a
single host is good.  It could really lessen the risks of broken browsers
and evil robots. As for including it, I don't think the denial of service
argument is enough to include it in 1.2, next release is better IMHO.  
Anyone who needs to lock out an attack really has to do it at the 
firewall, not in each application.

How about a "late-patch" directory for stuff that just missed the 1.2 
cutoff that is useful and will be included in the next release?

On Mon, 6 Jan 1997, Ed Korthof wrote:

> I consider this a bug.  Deny from statements are applied only after a request
> has been read.  This means that a remote host can use a very simple denial of
> service attack to completely incapacitate a web server (unless you have a
> firewall you can reconfigure to deny from that specific host).  The remote host
> opens a connection, then never asks for anything.  The connection hangs until
> you hit TimeOut -- the default is 1200 seconds, but even with a low value it's
> possible to kill a server through 10 requests a second which simply hang till
> they timeout.
> I'm nearly done w/ a patch to prevent more than a configurable number of
> connections from a single host; it should be done by Wednesday.  Could we
> consider including it in the 1.2 release?  Given that you can't use "deny from
> ..." to protect from the above DoS attack, we should have some sort of
> protection.
> -- 
>      -- Ed Korthof        |  Web Server Engineer --
>      --    |  Organic Online, Inc --
>      -- (415) 278-5676    |  Fax: (415) 284-6891 --

Cliff Skolnick, Technical Consultant
Steam Tunnel Operations, 415.297.5938

View raw message