httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Tue, 01 Sep 2009 20:19:20 GMT
On Tuesday 01 September 2009, Ruediger Pluem wrote:
> >>> - Apache should respond with HTTP_REQUEST_TIME_OUT and not
> >>> HTTP_BAD_REQUEST when there is a timeout reading the request.
> >>
> >> In the slowloris case, it needs to time out before there's any
> >> such thing as an HTTP request, so it won't be sending an HTTP
> >> response. But I guess you're talking about the body timeout?
> >
> > No, about the request. When apache has received at least one line
> > of the request, it currently responds with HTTP_BAD_REQUEST when
> > there is a timeout before the complete request was read. In this
> > case HTTP_REQUEST_TIME_OUT is more appropriate. It means "the
> > client did not produce a request within the time that the server
> > was prepared to wait".
>
> Is this just regarding better logging on the server side? Otherwise
> I wouldn't care too much what we sent to an attacker.

Well, if there is a legitimate client who is too slow, it's better to 
send him a meaningful error message. But it's not that important, of 
course.

Mime
View raw message