httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject Re: mod_noloris: mitigating against slowloris-style attack
Date Thu, 25 Jun 2009 14:01:29 GMT
 

> -----Ursprüngliche Nachricht-----
> Von: Nick Kew 
> Gesendet: Donnerstag, 25. Juni 2009 15:40
> An: dev@httpd.apache.org
> Betreff: mod_noloris: mitigating against slowloris-style attack
> 
> I was just thinking about a quick&dirty fix we could offer
> to admins who are suddenly concerned about DoS attack.
> 
> The following, backed by dbm or memcache and assuming configurable
> default and per-host concurrent connection limits, looks like an
> outline candidate and works as a module:
> 
> static int noloris_conn(conn_rec *conn)
> {
>      /* kludge: just limit the number of connections per-ip */
>      /* increment num-conn-from-host
>       * register pool cleanup to decrement it
>       * limit = per-host-limit || default-limit
>       * if (num-conn > limit) {
>       *     drop connection;
>       *     return OK;
>       * }
>      return DECLINED;
> }
> static void noloris_hooks(apr_pool_t *p)
> {
>      ap_hook_process_connection(noloris_conn, NULL, NULL, 
> APR_HOOK_FIRST);
> }
> 
> Is this worth hacking up, or more trouble than it saves?

I guess the approach is good, but there are already modules in the
wild that provide this. So the question is: Should we do our own?
BTW: I remember that there was a request a while ago to move mod_limitipconn
(one of those modules) inside httpd, but I haven't got the archives
at hand right now to check. Maybe an idea to come back to this.

Regards

Rüdiger



Mime
View raw message