Posted-Date: Thu, 15 Jan 1998 11:57:43 +0100 (MET)
Date: Thu, 15 Jan 1998 11:57:43 +0100 (MET)
From: Dirk-Willem van Gulik <dirk.vangulik@jrc.it>
To: Jim Jagielski <jim@jaguNET.com>
Cc: new-httpd@apache.org
Subject: Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
In-Reply-To: <199801151054.FAA11711@devsys.jaguNET.com>
Message-Id: <Pine.SOL.3.96.980115115548.8962G-100000@elect6.jrc.it>
Reply-Path: Dirk.vanGulik@jrc.it
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Thu, 15 Jan 1998, Jim Jagielski wrote:

> Dirk-Willem van Gulik wrote:
> > 
> > On Wed, 14 Jan 1998, Marc Slemko wrote:
> > 
> > > > We'll never be able to protect against DoS attacks, esp if a
> > > > nasty user wants to fool around... After all, they could upload
> > > > a HUGE graphic, then log in with a 9600baud modem, load the image,
> > > > and as that comes through, create a new browser-window, load it
> > > > again, etc.. until MaxClients.
> >  
> > But there is already a lot of time-out type of protection in the various
> > not so blocking read/writes. That is different from the /dev/zero type of 
> > go-away problems; which might mean an overall resource/time/cycles limit.
> > 
> 
> cron, lynx, shell.
> 
> Think about it :)
> 

I've lost you here.. I was trying to express that by carefully setting the
various limits for the classes which run apache and the spawned off
children; one can safeguard to a fair extend to the type of DoS which are
effectively just causing resource eating; such as the open on /dev/zero.

Or is this fundamentally wrong ?

Dw.