httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Tue, 08 Sep 2009 13:20:30 GMT
On 06.09.2009 22:38, Stefan Fritsch wrote:
> On Tuesday 01 September 2009, Ruediger Pluem wrote:
>> I guess
>>
>> reqtimeout_after_body
>>
>> also needs to be updated to the assert / do nothing if not
>>  configured logic like reqtimeout_after_headers
>>
> 
> Thanks, I missed that. I fixed it and also added support for minimum 
> upload rates:
> 
> This
> 
> RequestHeaderTimeout initialTimeout [maxTimeout]
> RequestHeaderMinRate minRate
> 
> will now set the timeout to initialTimeout. Whenever data is received, 
> the timeout is increased according to minRate, but not to a value 
> larger than maxTimeout. If RequestHeaderMinRate is not present, 
> maxTimeout will be ignored.
> 
> The same goes for the Body* directives.
> 
> The new version is again at
> http://www.sfritsch.de/mod_reqtimeout/

I didn't yet test it, but I like the way it handles the problem, now you
also included the configurable data rate.

Regards,

Rainer

Mime
View raw message