httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: [Fwd: Slowloris]
Date Mon, 22 Jun 2009 12:23:12 GMT
(moved to dev@ - as this issue is now perfectly public).

Ben Laurie wrote:
> Dirk-Willem van Gulik wrote:
>> Ben Laurie wrote:
>>> What does that matter? If you need to do it less to Apache, then Apache
>>> is broken in comparison to the others.
>>>
>> Completely agreed - no need to get into a spitting match as to whom is
>> most broken. We had the same problem in 96 or so - and they where a
>> total pain to deal with. Options of dealing with this can be
>>
>> -    Very agressive timeouts and intentionally delaying/increasing the
>> cost of
>>      the TCP setup - but you are in freebsd/solaris style kernel filters.
>>
>> -    Very agressive timeouts generally - but you penalize the 14k4 modem
>> users.
>>
>> -    Binning users after a while in such a group - but then you penalize
>> certain
>>      ISPs or NAT-blocks.
>>
>> -    Not do much - but a graded response when you get resource tight; i.e.
>>      start prioritizing 'active' connections over slow ones. Either by
>> making the
>>      timeouts an exponentional function of the load or by some simple
>> binning
>>      (which is what we did in phase 2).
>>
>> -    Hand off (too) inactive conncetions to something cheaper - this is
>> what
>>       we did in the final phase - using a single thread, select() loop
>> with fixed buffer
>>      footprint. However that used a solaris inter process 'file
>> descriptor passing'
>>      message - which I guess is out of vogue now.
>
> Why? This is actually quite in vogue for security reasons :-)

Sounds I have missed something. Blush :) (Especially after reading up on 
all the work in openbsd :)!).

Having read up on it a bit - so fair to conclude that the mechanism for 
passing file descriptors between processes is now a solid cross platform 
thing ? But I am no seeing something easy in APR ? Do we have modules 
already doing this ?

>> And really - in this
>> day and
>>      age you propably want to tell your
>> switch/router/network-piece-of-kit/dog
>>      to move the TCP to another machine.

And I have no idea if there are any API's for this which are cross vendor.

>> -    Seriously rewrite apache/add a worker which mimics the
>> accept_filter.ko
>>      of freebsd somewhat in that it as a single threaded async select() loop
>>      which buffers things up until they are cooked enough (i.e. the
>> client has
>>      enough skin in the game) to hand off to a real worker.
>>
>> Any more approaches possible ?

Dw

Mime
View raw message