httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rasmus Lerdorf <ras...@lerdorf.com>
Subject Re: Timeout for requests
Date Tue, 03 May 2005 21:40:32 GMT
Nick Kew wrote:
>>Turn on accept filtering and this problem goes away.  Or at least it
>>moves to be a kernel-level issue instead of an Apache one.
> 
> How does that work with large requests?  Doesn't the whole principle
> leave you the choice of just moving the DOS attack or breaking
> pipelining?

You mean the httpready filter?  The accept will trigger once the buffer 
is full, so yes, large requests will defeat it eventually, but you still 
get the benefit of not tying up an Apache process until the buffer has 
been filled.  The question was regarding just opening up lots of 
connections and letting them sit there, so the request size didn't 
matter in the context of the question.

And yes, if you have KeepAlive enabled, there is no protection for 
subsequent slow or stalled requests, but there is a KeepAlive timeout 
there.  Most busy sites disable KeepAlive anyway since it is a DoS 
feature in the sense that you tend to get a lot of processes sitting 
around waiting on slow clients.

I did fix an issue last year where even with accept filtering enabled 
you could DoS any Apache server by simply opening MaxClients connections 
and trickling a carriage return to each connection very slowly.  So for 
people seeing DoS issues like this, I would suggest upgrading to the 
latest version, turning on accept filtering and turning off keepalive.

-Rasmus

Mime
View raw message