httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Foertsch <torsten.foert...@gmx.net>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Tue, 01 Sep 2009 14:26:52 GMT
On Tue 01 Sep 2009, Stefan Fritsch wrote:
> http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c
>
> Any comments are welcome.

Just a few thoughts:

- You use GLOBAL_ONLY in ap_check_cmd_context. That means the directive 
must not appear in vhost context. AFAIK, conn->base_server reflects the 
vhost in a pre connection hook if it is IP-based. So, why don't you 
allow for RequestTimeout to be valid in ip-based vhost context? That 
way the protocol problem is solved, isn't it?

- Wouldn't RequestTimeout better be named RequestHeaderTimeout or 
ReadRequestHeaderTimeout? RequestTimeout is a bit missleading (IMHO). 
My first thought was: That thing limits the whole transaction.

- You mentioned a minimum body transfer rate instead of a simple 
timeout. If the default values for LimitRequestFields, 
LimitRequestFieldSize and LimitRequestLine are added up I get a max. 
request header size of 101*8190 bytes. This may take some time to 
transmit while still valid. So, perhaps a transfer rate limit for the 
header is a good option, as well. Perhaps having both a timeout and a 
rate limit would be good.

Just my 0.02€.

Torsten

-- 
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net

Mime
View raw message