httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <bo...@rexursive.com>
Subject LimitRequestRate configuration directive?
Date Sun, 05 Jul 2009 00:20:00 GMT
Just wondering, if it would be useful to have a LimitRequestRate
configuration directive, which would then mitigate against Slowloris and
friends?

For instance, if Timeout is 5 seconds, Slowloris will push 8 bytes
through the pipe every 5 seconds (X-a: b\r\n), giving it the rate of 1.6
bytes per second. Quite obviously, this kind of input rate is not
something today's machines and networks are experiencing on a regular
basis, so requiring say 100 bytes per second or more in this scenario
would help against this kind of attack. In combination with other Limit
directives, the attacker would hit disconnect much faster, hopefully
giving legitimate clients more chance to get a thread/process.

Disclaimer: not a security expert by any stretch of imagination.
Bullshit filter advised :-)

-- 
Bojan


Mime
View raw message