httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: svn commit: r790205 - /httpd/httpd/trunk/modules/experimental/mod_noloris.c
Date Thu, 02 Jul 2009 16:01:02 GMT
Joe Orton wrote:
> On Thu, Jul 02, 2009 at 01:37:22PM +0100, Nick Kew wrote:
>> Joe Orton wrote:
>>
>>> 1) A *linear-time* search on a shm segment, using strstr.
>>> 2) ... for each new connection.
>> With the expectation that the shm segment normally has strlen
>> of zero, and even under attack is just a few bytes.
> 
> As far as I can tell, the worst case is when the size of the string in 
> the shm segment approaches the maximum in a distributed DoS.  The 
> maximum will need to be:
> 
>     (MaxClients / MaxClientConnections) * 47 + 1
> 
> (46 is the max length of an IPv6 address, not 18, IIRC, and you need 
> +1's for both the space and the NUL terminator which strcpy will append)
> 
> That could easily be tens or hundreds of kilobytes, depending on 
> configuration.  Presuming that strstr() on that could be non-trivial, 
> the CPU cost of handling a DDoS attack becomes O(N^2) in an effort to 
> mitigate a single-client-DoS.  That sounds like very poor trade-off.

A fixed memcmp of the fixed strlen(match)+1 is sufficient, as you are
observing the trailing NULL, which should correspond to the individual
client IP strings' trailing NULLs.

strstr is certainly suboptimal.

Mime
View raw message