Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 59027 invoked from network); 26 Oct 2004 13:45:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 26 Oct 2004 13:45:36 -0000 Received: (qmail 80885 invoked by uid 500); 26 Oct 2004 13:45:12 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 80819 invoked by uid 500); 26 Oct 2004 13:45:11 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 80780 invoked by uid 99); 26 Oct 2004 13:45:11 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [217.160.182.153] (HELO p15124383.pureserver.info) (217.160.182.153) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 26 Oct 2004 06:45:09 -0700 Received: from [192.168.2.3] (82-70-94-182.dsl.in-addr.zen.co.uk [82.70.94.182]) (authenticated (0 bits)) by p15124383.pureserver.info (8.11.6/8.11.6) with ESMTP id i9QDj1i19278 for ; Tue, 26 Oct 2004 14:45:01 +0100 Message-ID: <417E556A.6050307@webkreator.com> Date: Tue, 26 Oct 2004 14:47:22 +0100 From: Ivan Ristic User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: cvs commit: httpd-2.0/server protocol.c References: <20041025064008.57233.qmail@minotaur.apache.org> <417CBB43.4090403@sharp.fm> <417D1449.2020509@sharp.fm> <176E4609-2704-11D9-BBD4-000393753936@gbiv.com> In-Reply-To: <176E4609-2704-11D9-BBD4-000393753936@gbiv.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Roy T. Fielding wrote: >> What would make more sense is "Error while reading HTTP request line. >> (remote browser didn't send a request?)". This indicates exactly what >> httpd was trying to do when the error occurred, and gives a hint of >> why the error might have occurred. > > We used to have such a message. It was removed from httpd because too > many users complained about the log file growing too fast, particularly > since that is the message which will be logged every time a browser > connects and then its initial request packet gets dropped by the network. > > This is not an error that the server admin can solve -- it is normal > life on the Internet. We really shouldn't be logging it except when > on DEBUG level. As you say, it is normal life on the Internet. I don't think Apache should be hiding the fact that many browsers don't finish with the request line, or timeout in some other way. But the main problem, and it's how this all started, is that without the message it becomes very difficult to detect when you are being attacked. At the same time such attacks are trivial to execute and don't require a fast connection. A smart attacker will open new connections at a very slow rate, just a bit faster then Apache closes them. The only way to figure it out is to be there when it happens or use some other network-level mechanism (netflow, argus, etc), but even that would involve long time of looking at the logs and comparing it to the access logs. As for people complaining about the error log growing too fast, I am sure their access logs grow *much* faster and they handle that without a problem. My point being logging is part of the package. I am OK with assigning this message to a low log level, but I don't think DEBUG is the correct choice. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]