httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Date Wed, 14 Jan 1998 21:57:51 GMT
On Wed, 14 Jan 1998, Jim Jagielski wrote:

> Marc Slemko wrote:
> > 
> > On Wed, 14 Jan 1998, Dean Gaudet wrote:
> > 
> > > This is a cute DoS attack.  I like it :) 
> > > 
> > > It should be an fstat(), which is faster than stat() on many unixes
> > > because they don't have to do path resolution twice.  We also should have
> > > some way of disabling it in the call -- but should default every call to
> > > having the protection enabled.  We'd disable it in default_handler
> > > naturally, since we've already protected against devices. 
> > 
> > Joy joy.  Now for .htaccess files we not only have to (by default) open
> > (or try to open) a zillion files, we have to stat them too.  That sucks.
> > 
> > I would really like a nicer workaround, but... finding one is a different
> > matter.  If someone has access to the system (ie. a shell) they can still
> > mess with you no matter what you do.  
> > 
> > Apache is not compartmentalized between users; until you have some overall
> > way to be sure that no user can make requests eat "too much" of any
> > resource, you will always be subject to similar attacks.  I don't know of
> > any server of any type that isn't very restrictive that really is very
> > well; well, any server of this nature.  There are operating systems that
> > are and a few big apps that are, but... 
> > 
> 
> We'll never be able to protect against DoS attacks, esp if a
> nasty user wants to fool around... After all, they could upload
> a HUGE graphic, then log in with a 9600baud modem, load the image,
> and as that comes through, create a new browser-window, load it
> again, etc.. until MaxClients.

But if it were properly setup no one user would be able to have requests
that would destroy "other" pages on the server.


Mime
View raw message