Return-Path: 
 <dev-return-64890-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 59139 invoked from network); 2 Jul 2009 12:37:46 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 2 Jul 2009 12:37:46 -0000
Received: (qmail 99231 invoked by uid 500); 2 Jul 2009 12:37:56 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 99141 invoked by uid 500); 2 Jul 2009 12:37:55 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 99132 invoked by uid 99); 2 Jul 2009 12:37:55 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Jul 2009 12:37:55 +0000
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [80.229.52.226] (HELO opensolaris.local) (80.229.52.226)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Jul 2009 12:37:46 +0000
Received: from [127.0.0.1] (opensolaris.local [127.0.0.1])
	by opensolaris.local (8.14.3+Sun/8.14.3) with ESMTP id n62CbMbn002853
	for <dev@httpd.apache.org>; Thu, 2 Jul 2009 13:37:25 +0100 (BST)
Message-ID: <4A4CAA02.204@webthing.com>
Date: Thu, 02 Jul 2009 13:37:22 +0100
From: Nick Kew <nick@webthing.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090323)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: svn commit: r790205
 -	/httpd/httpd/trunk/modules/experimental/mod_noloris.c
References: <20090701150155.C966823888EA@eris.apache.org>
 <20090702095815.GA6862@redhat.com>
In-Reply-To: <20090702095815.GA6862@redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

Joe Orton wrote:

> 1) A *linear-time* search on a shm segment, using strstr.
 > 2) ... for each new connection.

With the expectation that the shm segment normally has strlen
of zero, and even under attack is just a few bytes.

> 3) On a shm segment which will get modified in-place by another process
> 4) ... without locking

with a comment about the race condition.  When the worst outcome is
that a connection is accepted from a should-be-banned client ...

> p.s. iptables -A INPUT -p tcp --syn --dport 80 \
>        -m connlimit --connlimit-above 50 -j REJECT  

Not everyone who's concerned right now about slowloris has
iptables at their disposal.

-- 
Nick Kew