httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Date Wed, 14 Jan 1998 21:50:17 GMT
On Wed, 14 Jan 1998, Dean Gaudet wrote:

> This is a cute DoS attack.  I like it :) 
> It should be an fstat(), which is faster than stat() on many unixes
> because they don't have to do path resolution twice.  We also should have
> some way of disabling it in the call -- but should default every call to
> having the protection enabled.  We'd disable it in default_handler
> naturally, since we've already protected against devices. 

Joy joy.  Now for .htaccess files we not only have to (by default) open
(or try to open) a zillion files, we have to stat them too.  That sucks.

I would really like a nicer workaround, but... finding one is a different
matter.  If someone has access to the system (ie. a shell) they can still
mess with you no matter what you do.  

Apache is not compartmentalized between users; until you have some overall
way to be sure that no user can make requests eat "too much" of any
resource, you will always be subject to similar attacks.  I don't know of
any server of any type that isn't very restrictive that really is very
well; well, any server of this nature.  There are operating systems that
are and a few big apps that are, but... 

> More generally:  we should change the server so that alarms just can't be
> blocked across system calls.  How to do this I'm not sure at all yet. 
> It's just not a good idea for us to be without a timeout, ever.
> We could really use an efficient "MaxConnectionsPerIP".  But I'm worried
> about proxies.
> Dean
> On Wed, 14 Jan 1998, Marc Slemko wrote:
> > I'm not sure I go for stat()ing every file we try to open an extra time,
> > but...

View raw message