Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 53850 invoked from network); 24 Jun 2009 07:54:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Jun 2009 07:54:37 -0000 Received: (qmail 32202 invoked by uid 500); 24 Jun 2009 07:54:47 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 32119 invoked by uid 500); 24 Jun 2009 07:54:46 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 32110 invoked by uid 99); 24 Jun 2009 07:54:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jun 2009 07:54:46 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dirkx@webweaving.org designates 213.207.101.183 as permitted sender) Received: from [213.207.101.183] (HELO pikmeer.webweaving.org) (213.207.101.183) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jun 2009 07:54:36 +0000 Received: from Unknown-00-24-36-ec-ad-9c.home (host86-134-203-221.range86-134.btcentralplus.com [86.134.203.221]) (authenticated bits=0) by pikmeer.webweaving.org (8.14.3/8.14.3) with ESMTP id n5O7r7bv099953 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK) for ; Wed, 24 Jun 2009 07:53:07 GMT (envelope-from dirkx@webweaving.org) Message-ID: <4A41DBA5.1070509@webweaving.org> Date: Wed, 24 Jun 2009 08:54:13 +0100 From: Dirk-Willem van Gulik User-Agent: Postbox 1.0b12 (Macintosh/2009051120) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Mitigating the Slowloris DoS attack References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Akins, Brian wrote: > On 6/22/09 10:40 PM, "Weibin Yao" wrote: > >> I have an idea to mitigate the problem: put the Nginx as a reverse proxy >> server in the front of apache. > > Or a device that effectively acts as such. > So what we did in the mid '90 when we where hit by pretty much the same was a bit simpler - any client which did not complete its headers within a a few seconds (or whatever a SLIP connection over a few k baud or so would need) was simply handed off by passing the file descriptor over a socket to a special single apache process. This one did a very single threaded async simple select() loop for all the laggards and would only pass it back to the main apache children once header reading was complete. This was later replaced by kernel accept filters. Thanks, Dw.