httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject Re: Mitigating the Slowloris DoS attack
Date Wed, 24 Jun 2009 08:29:00 GMT
 

> -----Ursprüngliche Nachricht-----
> Von: Graham Leggett 
> Gesendet: Mittwoch, 24. Juni 2009 10:05
> An: dev@httpd.apache.org
> Betreff: Re: Mitigating the Slowloris DoS attack
> 
> Dirk-Willem van Gulik wrote:
> 
> > So what we did in the mid '90 when we where hit by pretty 
> much the same
> > was a bit simpler - any client which did not complete its 
> headers within
> > a a few seconds (or whatever a SLIP connection over a few k 
> baud or so
> > would need) was simply handed off by passing the file 
> descriptor over a
> > socket to a special single apache process. This one did a 
> very single
> > threaded async simple select() loop for all the laggards 
> and would only
> > pass it back to the main apache children once header reading was
> > complete. This was later replaced by kernel accept filters.
> 
> Are kernel accept filters widespread enough for it to be reasonably
> considered a generic solution to the problem? If so, then the solution
> to this problem is to just configure them correctly, and you're done.

The following issues remain:

1. You only have them on the BSD platforms
2. It doesn't help with SSL.
3. These kind of attacks can be also done in phases after the headers are
   read.

Curious question as I am not that familar with the accept filters:

Do they really wait with the handover of the socket until they read all headers?
I thought they only read the first line of the request before handing over
the socket to the app.

Regards

Rüdiger

Mime
View raw message