httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Stoddard <>
Subject Re: DDOS protection features request
Date Fri, 07 Nov 2003 00:44:09 GMT
Sergey Ignatchenko wrote:

> There exists (and I know of several instances when 
> it was successfully used) a trivial kind of DDOS 
> attack that seems to be quite poorly handled by 
> Apache:
> if multiple clients just create TCP connections 
> to port 80 and do not send anything over those
> connections, it will take TimeOut (300 sec by 
> default) to drop such a connection. So, it 
> becomes trivial to fill all 256 slots (default 
> MaxClients for prefork MPM) and even thousands 
> of slots for worker MPM, therefore effectively 
> preventing legitimate users from requesting data. 
> Two features IMO would help (sorry, if they were 
> already recently added - pls refer me to appropriate 
> directives then): 
> - split TimeOut directive into several (which is
> already planned according to Apache docs: 
> To deal with such an attack, it is necessary to reduce
> "The total amount of time it takes to receive a GET 
> request." to several seconds, but unfortunately 
> reducing current TimeOut value to several seconds 
> will have all kinds of ill effects, including 
> effective inability to serve relatively big files
> (1M+). 
This has been discussed before on the list. The conclusion of the 
discussion has always been something like 'there are other very 
effective ways to DoS the server that cannot be defended against at the 
HTTP protocol level so implementing DoS protections in the web server is 
pointless'. Or something like that. However...

I an in favor of splitting the timeout directive into two separate 
directives. This seems relatively easy to do and it will protect against 
a trivial attack.

> - implementing restriction on number of connections 
> from single source IP (something similar to mod_conn 
> that existed for Apache 1.3). Note: I have no idea 
> how mod_conn was implemented, but to deal with 
> the attack, IP session limit check must be 
> performed _before_ GET request completed. 
This otoh, would play havoc with folks accessing websites via a proxy 
(think employees of a large company accessing internet sites. They all 
might look like they are coming from the same IP addr.) I would not 
object to someone starting an httpd subproject for a general purpose 
module to implement some of the defences that can be implemented at the 
HTTP level.


View raw message