httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Date Thu, 15 Jan 1998 21:06:31 GMT
On Thu, 15 Jan 1998, Martin Kraemer wrote:

> On Thu, Jan 15, 1998 at 01:43:42PM -0700, Marc Slemko wrote:
> > This does not completely prevent the attempt at reading the file from
> > blocking (only in at least 99% of the cases; although 1% can be bad...)
> > but does make it a lot more difficult for it to block and prevents endless
> > reads.  
> I think that blocking is not the only result of this kind of DoS attack:
> even when the server continues to read (/dev/zero), it will NEVER reach
> EOF. So huge amounts of CPU power can be bound by a few evil processes.

No, read the first bit.  You trash the request if you don't reach end of
line before end of the 8k buffer you read from.

> 
> > Heck, lets think up some cool attacks on systems that use automounters or
> > AFS.
> 
> What a cruel idea...! Oh, yes, that could take some time...
> 
>     Martin
> -- 
> | S I E M E N S |  <Martin.Kraemer@mch.sni.de>  |      Siemens Nixdorf
> | ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
> | N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
> ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> 


Mime
View raw message