httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Date Wed, 14 Jan 1998 21:54:26 GMT
Marc Slemko wrote:
> On Wed, 14 Jan 1998, Dean Gaudet wrote:
> > This is a cute DoS attack.  I like it :) 
> > 
> > It should be an fstat(), which is faster than stat() on many unixes
> > because they don't have to do path resolution twice.  We also should have
> > some way of disabling it in the call -- but should default every call to
> > having the protection enabled.  We'd disable it in default_handler
> > naturally, since we've already protected against devices. 
> Joy joy.  Now for .htaccess files we not only have to (by default) open
> (or try to open) a zillion files, we have to stat them too.  That sucks.
> I would really like a nicer workaround, but... finding one is a different
> matter.  If someone has access to the system (ie. a shell) they can still
> mess with you no matter what you do.  
> Apache is not compartmentalized between users; until you have some overall
> way to be sure that no user can make requests eat "too much" of any
> resource, you will always be subject to similar attacks.  I don't know of
> any server of any type that isn't very restrictive that really is very
> well; well, any server of this nature.  There are operating systems that
> are and a few big apps that are, but... 

We'll never be able to protect against DoS attacks, esp if a
nasty user wants to fool around... After all, they could upload
a HUGE graphic, then log in with a 9600baud modem, load the image,
and as that comes through, create a new browser-window, load it
again, etc.. until MaxClients.

      Jim Jagielski            |       jaguNET Access Services           |
            "Look at me! I'm wearing a cardboard belt!"

View raw message