httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject Re: Mitigating the Slowloris DoS attack
Date Tue, 23 Jun 2009 04:48:46 GMT
On Sun, Jun 21, 2009 at 4:10 AM, Andreas Krennmair<ak@synflood.at> wrote:
> Hello everyone,
.....
> The basic principle is that the timeout for new connections is adjusted
> according to the current load on the Apache instance: a load percentage is
> computed in the perform_idle_server_maintenance() routine and made available
> through the global scoreboard. Whenever the timeout is set, the current load
> percentage is taken into account. The result is that slowly sending
> connections are dropped due to a timeout, while legitimate, fast-sending
> connections are still being served. While this approach doesn't completely
> fix the issue, it mitigates the negative impact of the Slowloris attack.

Mitagation is the wrong approach.

We all know our architecture is wrong.

We have started on fixing it, but we need to finish the async input
rewrite on trunk, but all of the people who have hacked on it, myself
included have hit ENOTIME for the last several years.

Hopefully the publicity this has generated will get renewed interest
in solving this problem the right way, once and for all :)

It doesn't need to be the simple mpm, or the event mpm, its not even
about MPMs, its about how the whole input filter stack works.

So.. i write yet another email about it... and disappear in the ether
of ENOTIME once again.....

-Paul

Mime
View raw message