httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: ap_get_client_block blocks in Apache 1.3
Date Wed, 09 Apr 2003 14:54:51 GMT
Dimitri Rebrikov wrote:

> I know that such requests aren't conform and i don't expect that they be
> processed correctly. But is it not a vulnerability point if such (broken)
> clients can block my apache-processes for indefinite amount of time and
> finally (if many) paralyse my system.

A timeout isn't really going to help you in this case. Apache maintains 
an upper limit on the number of threads/processes it will spawn, so as 
long as these are kept reasonable (and the defaults are reasonable) 
Apache will not spawn processes beyond the set limits.

It is quite feasible for an attacker to open 1000 requests to your 
machine in way less time than a reasonable timeout - this can DoS your 
webserver, but it won't kill your box.

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm		"There's a moon
					over Bourbon Street
						tonight..."


Mime
View raw message