httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: mod_noloris: mitigating against slowloris-style attack
Date Thu, 25 Jun 2009 17:38:08 GMT


On 06/25/2009 04:01 PM, Plüm, Rüdiger, VF-Group wrote:
>  
> 
>> -----Ursprüngliche Nachricht-----
>> Von: Nick Kew 
>> Gesendet: Donnerstag, 25. Juni 2009 15:40
>> An: dev@httpd.apache.org
>> Betreff: mod_noloris: mitigating against slowloris-style attack
>>
>> I was just thinking about a quick&dirty fix we could offer
>> to admins who are suddenly concerned about DoS attack.
>>
>> The following, backed by dbm or memcache and assuming configurable
>> default and per-host concurrent connection limits, looks like an
>> outline candidate and works as a module:
>>
>> static int noloris_conn(conn_rec *conn)
>> {
>>      /* kludge: just limit the number of connections per-ip */
>>      /* increment num-conn-from-host
>>       * register pool cleanup to decrement it
>>       * limit = per-host-limit || default-limit
>>       * if (num-conn > limit) {
>>       *     drop connection;
>>       *     return OK;
>>       * }
>>      return DECLINED;
>> }
>> static void noloris_hooks(apr_pool_t *p)
>> {
>>      ap_hook_process_connection(noloris_conn, NULL, NULL, 
>> APR_HOOK_FIRST);
>> }
>>
>> Is this worth hacking up, or more trouble than it saves?
> 
> I guess the approach is good, but there are already modules in the
> wild that provide this. So the question is: Should we do our own?
> BTW: I remember that there was a request a while ago to move mod_limitipconn
> (one of those modules) inside httpd, but I haven't got the archives
> at hand right now to check. Maybe an idea to come back to this.

The idea to move mod_limitipconn inside httpd is nearly one year old.

See
http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3cPine.GSO.4.64.0806181704510.11344@hatchepsut.acc.umu.se%3e
http://mail-archives.apache.org/mod_mbox/httpd-dev/200808.mbox/%3cPine.GSO.4.64.0808221104590.22704@hatchepsut.acc.umu.se%3e

David Jao the author of the module said that the latest version is ASL2.0 licensed

http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c485B942B.8060206@dominia.org%3e

and that he would sign a software grant if needed.

http://mail-archives.apache.org/mod_mbox/httpd-dev/200808.mbox/%3c48AF281F.1030303@dominia.org%3e

Do we need such a grant if it is ASL2.0 licensed?

Does anybody see any *license* (not *technical* or *project*) issues importing it into trunk
and using
it as a base for a module to mitigate slowloris-style attacks?

Regards

Rüdiger


Mime
View raw message