Joe Orton wrote:
> 1) A *linear-time* search on a shm segment, using strstr.
> 2) ... for each new connection.
With the expectation that the shm segment normally has strlen
of zero, and even under attack is just a few bytes.
> 3) On a shm segment which will get modified in-place by another process
> 4) ... without locking
with a comment about the race condition. When the worst outcome is
that a connection is accepted from a should-be-banned client ...
> p.s. iptables -A INPUT -p tcp --syn --dport 80 \
> -m connlimit --connlimit-above 50 -j REJECT
Not everyone who's concerned right now about slowloris has
iptables at their disposal.
--
Nick Kew
|