httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: svn commit: r790205 - /httpd/httpd/trunk/modules/experimental/mod_noloris.c
Date Thu, 02 Jul 2009 12:37:22 GMT
Joe Orton wrote:

> 1) A *linear-time* search on a shm segment, using strstr.
 > 2) ... for each new connection.

With the expectation that the shm segment normally has strlen
of zero, and even under attack is just a few bytes.

> 3) On a shm segment which will get modified in-place by another process
> 4) ... without locking

with a comment about the race condition.  When the worst outcome is
that a connection is accepted from a should-be-banned client ...

> p.s. iptables -A INPUT -p tcp --syn --dport 80 \
>        -m connlimit --connlimit-above 50 -j REJECT  

Not everyone who's concerned right now about slowloris has
iptables at their disposal.

-- 
Nick Kew

Mime
View raw message