httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henrik Nordstrom <...@squid-cache.org>
Subject Re: mod_cache responsibilities vs mod_xxx_cache provider responsibilities
Date Thu, 21 Sep 2006 19:43:51 GMT
tor 2006-09-21 klockan 12:18 +0200 skrev Plüm, Rüdiger, VF EITO:

> IMHO this waits for a DoS to happen if the requestor can trick the backend
> to get stuck with the request. So one request of this type would be sufficient
> to DoS the whole server if the timeout is not very short.

How would this be more of a DoS than just flooding the proxy with
connections to a non-existing server? The delay is per URL, not a while
requested site.

Sure, an attacker can use this to make it look like a site with this
problem is non-responsive for users via the cache, but it's not that
difficult to handle. Maybe you already do what we do in Squid: ignore
the cache on "reload" request. Solves the problem quite nicely. However,
in Squid we do start transmitting what is available immediately, but our
design is somewhat different.

To avoid DoS all you need to do is keep monitoring the client
connection, and abort if the client aborts while waiting for the entity
to become available.

Regards
Henrik

Mime
View raw message