httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: yaDoS
Date Tue, 03 Feb 1998 03:53:57 GMT
On Mon, 2 Feb 1998, Dean Gaudet wrote:

> I suppose then we just trade local DoS for total DoS.  For example if we

Exactly.  Going one step further, one user on a multiuser box can block
all others.  

Make it a non-default option, log whenever it is invoked, and have an
alert admin looking a the logs and noting if there are any problem
proxies, etc.

> allow 8 connections from each unique ip address then a user behind a proxy
> can block out the rest of the users behind that proxy.  Unless of course
> the proxy implements the SHOULD restriction in section 8.1.4 of rfc2068...
> the restriction that says the proxy shouldn't allow more than 2N
> connections to a remote site where N is the number of proxied clients.

That is a nice section, but if you try writing a proxy I think you will
find that it isn't always that easy.  

So, any volunteers for a 1.1 proxy for 2.0?

> 
> I suppose I too can live with that. 
> 
> Dean
> 
> On Mon, 2 Feb 1998, Marc Slemko wrote:
> 
> > On Mon, 2 Feb 1998, Dean Gaudet wrote:
> > 
> > > And how do you deal with proxies?  We can't connection-limit proxies the
> > > same way we can connection-limit end users.
> > 
> > You assume that whatever proxy you are using on whatever site, you will
> > have enough other traffic that the proxy never gets that much usage.  Your
> > limits have to be set somewhat high.
> > 
> > When you reach a point of not serving any clients due to being full
> > serving connections from one client, I don't care if it is a proxy or not
> > or legit or not; I want it out.  The in-between is, of course, harder.
> > 
> > > 
> > > Dean
> > > 
> > > On Mon, 2 Feb 1998, Marc Slemko wrote:
> > > 
> > > > This isn't a new issue and has been looked at, but the thing with it is
> > > > that you require a real IP to do it and it shouldn't be that hard to
> > > > simply see what IPs are doing it then filter them.
> > > > 
> > > > Someone (Ed Korthof <ed@organic.com>?) wrote a patch once to do
limiting
> > > > based on this, but it is a bit ugly and needs refining and was against
> > > > 1.2bsomething to start I think.  Not sure if he has a more recent one...
> > > 
> > 
> > 
> 


Mime
View raw message