httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Tue, 01 Sep 2009 19:13:03 GMT


On 09/01/2009 08:42 AM, Stefan Fritsch wrote:
> On Tuesday 01 September 2009, Nick Kew wrote:

> 
>>> - Apache should respond with HTTP_REQUEST_TIME_OUT and not
>>> HTTP_BAD_REQUEST when there is a timeout reading the request.
>> In the slowloris case, it needs to time out before there's any such
>> thing as an HTTP request, so it won't be sending an HTTP response.
>> But I guess you're talking about the body timeout?
> 
> No, about the request. When apache has received at least one line of 
> the request, it currently responds with HTTP_BAD_REQUEST when there is 
> a timeout before the complete request was read. In this case 
> HTTP_REQUEST_TIME_OUT is more appropriate. It means "the client did 
> not produce a request within the time that the server was prepared to 
> wait".

Is this just regarding better logging on the server side? Otherwise I
wouldn't care too much what we sent to an attacker.

Regards

RĂ¼diger


Mime
View raw message