Return-Path: 
 <dev-return-21157-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 4531 invoked by uid 500); 21 Sep 2001 04:41:44 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 4516 invoked from network); 21 Sep 2001 04:41:43 -0000
Date: Thu, 20 Sep 2001 21:41:49 -0700 (PDT)
From: dean gaudet <dean@arctic.org>
To: <dev@httpd.apache.org>
cc: <tech@webcon.net>
Subject: Re: [PATCH] Timeout-based DoS attack fix
In-Reply-To: <Pine.LNX.4.33.0109201755010.27417-100000@light.webcon.net>
Message-ID: <Pine.LNX.4.33.0109202135330.3205-100000@twinlark.arctic.org>
X-comment: visit http://arctic.org/~dean/legal for information regarding
 copyright and disclaimer.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

On Thu, 20 Sep 2001, Ian Morgan wrote:

> RecvTimeout 5
>
> This will cause any incoming request to timeout if not completed within 5
> seconds. This will cause the above "null" connections to timeout very
> quickly, thereby significantly reducing the number of wasted waiting server
> instances.

so the next version of the DoS will just send a request and then set its
TCP receive window to something really tiny effectively taking forever to
get the response.

for example, take a look at this "white-hat" program which uses the
technique i just described:  <http://www.hackbusters.net/LaBrea/>.

not that having multiple configurable timeouts is a bad thing.  i just
wanted to point out that it's not the end of the story :)

-dean