httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <>
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Date Wed, 14 Jan 1998 20:52:59 GMT
This is a cute DoS attack.  I like it :) 

It should be an fstat(), which is faster than stat() on many unixes
because they don't have to do path resolution twice.  We also should have
some way of disabling it in the call -- but should default every call to
having the protection enabled.  We'd disable it in default_handler
naturally, since we've already protected against devices. 

More generally:  we should change the server so that alarms just can't be
blocked across system calls.  How to do this I'm not sure at all yet. 
It's just not a good idea for us to be without a timeout, ever.

We could really use an efficient "MaxConnectionsPerIP".  But I'm worried
about proxies.


On Wed, 14 Jan 1998, Marc Slemko wrote:

> I'm not sure I go for stat()ing every file we try to open an extra time,
> but...

View raw message