httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <dirk.vangu...@jrc.it>
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Date Thu, 15 Jan 1998 10:57:43 GMT
On Thu, 15 Jan 1998, Jim Jagielski wrote:

> Dirk-Willem van Gulik wrote:
> > 
> > On Wed, 14 Jan 1998, Marc Slemko wrote:
> > 
> > > > We'll never be able to protect against DoS attacks, esp if a
> > > > nasty user wants to fool around... After all, they could upload
> > > > a HUGE graphic, then log in with a 9600baud modem, load the image,
> > > > and as that comes through, create a new browser-window, load it
> > > > again, etc.. until MaxClients.
> >  
> > But there is already a lot of time-out type of protection in the various
> > not so blocking read/writes. That is different from the /dev/zero type of 
> > go-away problems; which might mean an overall resource/time/cycles limit.
> > 
> 
> cron, lynx, shell.
> 
> Think about it :)
> 

I've lost you here.. I was trying to express that by carefully setting the
various limits for the classes which run apache and the spawned off
children; one can safeguard to a fair extend to the type of DoS which are
effectively just causing resource eating; such as the open on /dev/zero.

Or is this fundamentally wrong ?

Dw.


Mime
View raw message