httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Tue, 01 Sep 2009 20:16:40 GMT
On Tuesday 01 September 2009, Ruediger Pluem wrote:
> On 09/01/2009 04:26 PM, Torsten Foertsch wrote:
> > On Tue 01 Sep 2009, Stefan Fritsch wrote:
> >> http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c
> >>
> >> Any comments are welcome.
> >
> > Just a few thoughts:
> >
> > - You use GLOBAL_ONLY in ap_check_cmd_context. That means the
> > directive must not appear in vhost context. AFAIK,
> > conn->base_server reflects the vhost in a pre connection hook if
> > it is IP-based. So, why don't you allow for RequestTimeout to be
> > valid in ip-based vhost context? That way the protocol problem is
> > solved, isn't it?
> >
> > - Wouldn't RequestTimeout better be named RequestHeaderTimeout or
> > ReadRequestHeaderTimeout? RequestTimeout is a bit missleading
> > (IMHO). My first thought was: That thing limits the whole
> > transaction.
>
> Nice module. +1 to the comments above.

Thanks to everyone commenting so far. I have changed these two things 
and uploaded the new version to the same place.

Stefan

Mime
View raw message