httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Dumpleton <graham.dumple...@gmail.com>
Subject Re: Mitigating the Slowloris DoS attack
Date Wed, 24 Jun 2009 09:57:58 GMT
2009/6/24 Kevin J Walters <Kevin.Walters@morganstanley.com>:
>
>>>>>> "M" == Matthieu Estrade <mestrade@apache.org> writes:
>
> M> More granular timeout and maybe adaptative timeout is also IMHO a good
> M> way to improve resistance to this kind of attack.
>
> The current 1.3, 2.0 and 2.2 documentation is in agreement too!
>
> I believe the ssl module also takes its timeout value from this
> setting. It would be great if that was separately configurable too to
> cater for those intent on doing partial ssl handshakes.
>
>
>  The TimeOut directive currently defines the amount of time Apache will wait for three
things:
>
>   1. The total amount of time it takes to receive a GET request.
>   2. The amount of time between receipt of TCP packets on a POST or PUT request.
>   3. The amount of time between ACKs on transmissions of TCP packets in responses.
>
>  We plan on making these separately configurable at some point down the
>  road. The timer used to default to 1200 before 1.2, but has been
>  lowered to 300 which is still far more than necessary in most
>  situations. It is not set any lower by default because there may still
>  be odd places in the code where the timer is not reset when a packet
>  is sent.

>From what I understand, the server timeout value is also used to break
deadlocks in mod_cgi due to POST data being greater than the UNIX
socket buffer size and CGI script not reading POST data and then
returning a response greater than the UNIX socket buffer size. In
other words, CGI script blocks because Apache server child process
isn't reading response. The Apache server child process is blocked
still waiting for the CGI script to consume the response. The timeout
value breaks the deadlock. In this context, making the timeout too
small a value may have unintended consequences and affect how CGI
scripts work, so a separate timeout for mod_cgi would be preferable.

FWIW, the mod_cgid module doesn't appear to have this deadlock
detection so in practice this issue could in itself be used as a
denial of service vector when mod_cgid is used as it will completely
lock up the Apache child server thread with no failsafe to unblock it.
I have brought this issue up before on the list to get someone else to
analyse mod_cgid code and see if what I see is correct or not, but no
one seemed interested at the time, so took it that people didn't see
it as important. It may not have been seen as such a big issue as on
Linux systems the UNIX socket buffer size in the order of 220KB. On
MacOS X though, the UNIX socket buffer size is only 8KB, so much
easier to trigger. Unlike SendBufferSize and ReceiveBufferSize, there
are no directives to override these buffer sizes for mod_cgi and
mod_cgid.

Graham

Mime
View raw message