httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: yaDoS
Date Tue, 03 Feb 1998 04:03:51 GMT
I suppose then we just trade local DoS for total DoS.  For example if we
allow 8 connections from each unique ip address then a user behind a proxy
can block out the rest of the users behind that proxy.  Unless of course
the proxy implements the SHOULD restriction in section 8.1.4 of rfc2068...
the restriction that says the proxy shouldn't allow more than 2N
connections to a remote site where N is the number of proxied clients.

I suppose I too can live with that. 

Dean

On Mon, 2 Feb 1998, Marc Slemko wrote:

> On Mon, 2 Feb 1998, Dean Gaudet wrote:
> 
> > And how do you deal with proxies?  We can't connection-limit proxies the
> > same way we can connection-limit end users.
> 
> You assume that whatever proxy you are using on whatever site, you will
> have enough other traffic that the proxy never gets that much usage.  Your
> limits have to be set somewhat high.
> 
> When you reach a point of not serving any clients due to being full
> serving connections from one client, I don't care if it is a proxy or not
> or legit or not; I want it out.  The in-between is, of course, harder.
> 
> > 
> > Dean
> > 
> > On Mon, 2 Feb 1998, Marc Slemko wrote:
> > 
> > > This isn't a new issue and has been looked at, but the thing with it is
> > > that you require a real IP to do it and it shouldn't be that hard to
> > > simply see what IPs are doing it then filter them.
> > > 
> > > Someone (Ed Korthof <ed@organic.com>?) wrote a patch once to do limiting
> > > based on this, but it is a bit ugly and needs refining and was against
> > > 1.2bsomething to start I think.  Not sure if he has a more recent one...
> > 
> 
> 


Mime
View raw message