httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r790205 - /httpd/httpd/trunk/modules/experimental/mod_noloris.c
Date Thu, 02 Jul 2009 14:41:52 GMT
On Thu, Jul 02, 2009 at 01:37:22PM +0100, Nick Kew wrote:
> Joe Orton wrote:
>
>> 1) A *linear-time* search on a shm segment, using strstr.
> > 2) ... for each new connection.
>
> With the expectation that the shm segment normally has strlen
> of zero, and even under attack is just a few bytes.

As far as I can tell, the worst case is when the size of the string in 
the shm segment approaches the maximum in a distributed DoS.  The 
maximum will need to be:

    (MaxClients / MaxClientConnections) * 47 + 1

(46 is the max length of an IPv6 address, not 18, IIRC, and you need 
+1's for both the space and the NUL terminator which strcpy will append)

That could easily be tens or hundreds of kilobytes, depending on 
configuration.  Presuming that strstr() on that could be non-trivial, 
the CPU cost of handling a DDoS attack becomes O(N^2) in an effort to 
mitigate a single-client-DoS.  That sounds like very poor trade-off.

Regards, Joe

Mime
View raw message