httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <c...@force-elite.com>
Subject Re: Timeout for requests
Date Tue, 03 May 2005 22:22:09 GMT
Ivan Barrera A. wrote:
>>You mean the httpready filter?  The accept will trigger once the buffer
>>is full, so yes, large requests will defeat it eventually, but you still
>>get the benefit of not tying up an Apache process until the buffer has
>>been filled.  The question was regarding just opening up lots of
>>connections and letting them sit there, so the request size didn't
>>matter in the context of the question.
>>
>>And yes, if you have KeepAlive enabled, there is no protection for
>>subsequent slow or stalled requests, but there is a KeepAlive timeout
>>there.  Most busy sites disable KeepAlive anyway since it is a DoS
>>feature in the sense that you tend to get a lot of processes sitting
>>around waiting on slow clients.
>>
>>I did fix an issue last year where even with accept filtering enabled
>>you could DoS any Apache server by simply opening MaxClients connections
>>and trickling a carriage return to each connection very slowly.  So for
>>people seeing DoS issues like this, I would suggest upgrading to the
>>latest version, turning on accept filtering and turning off keepalive.
>>
> 
> 
> I haven't been able to enable acceptfilters on linux. Where can i get a
> howto or some info ?

Code to do this is in 2.1-dev.  The SO_ACCEPTFILTER is not available in
2.0.x.

It is largely undocumented in Linux. When I added support to 2.1, my
only reference was the linux kernel source code.

FreeBSD's accept filter stuff is well documented, and works great.  But,
this isn't the freebsd evangelism mailing list....  Good Luck with Linux.

-Paul

Mime
View raw message