httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin J Walters <Kevin.Walt...@morganstanley.com>
Subject Re: Mitigating the Slowloris DoS attack
Date Wed, 24 Jun 2009 09:40:28 GMT

>>>>> "M" == Matthieu Estrade <mestrade@apache.org> writes:

M> More granular timeout and maybe adaptative timeout is also IMHO a good
M> way to improve resistance to this kind of attack.

The current 1.3, 2.0 and 2.2 documentation is in agreement too!

I believe the ssl module also takes its timeout value from this
setting. It would be great if that was separately configurable too to
cater for those intent on doing partial ssl handshakes.


  The TimeOut directive currently defines the amount of time Apache will wait for three things:

   1. The total amount of time it takes to receive a GET request.
   2. The amount of time between receipt of TCP packets on a POST or PUT request.
   3. The amount of time between ACKs on transmissions of TCP packets in responses.

  We plan on making these separately configurable at some point down the
  road. The timer used to default to 1200 before 1.2, but has been
  lowered to 300 which is still far more than necessary in most
  situations. It is not set any lower by default because there may still
  be odd places in the code where the timer is not reset when a packet
  is sent. 


regards

|<evin

-- 
Kevin J Walters                      Morgan Stanley
kjw@ms.com                           25 Cabot Square
Tel: 020 7425 7886                   Canary Wharf
Fax: 020 7677 8504                   London E14 4QA

Mime
View raw message