httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <>
Subject Re: Crazy slowloris mitigation patch
Date Sun, 18 Oct 2009 08:48:54 GMT
On Sun, 2009-10-18 at 10:37 +0200, Stefan Fritsch wrote:
> An attacker can easily circumvent this by opening one connection that 
> slowly downloads a large file. Checking for a certain percentage of 
> all children would be better.

Yeah, I was thinking of that too - just wanted to err on the side of
caution by having the lot in read state. We can also create a checksum
of pids/states and if this is the same second time around, pronounce it
under attack (combined with percentage).

> However, there is a real problem with all approaches that look for 
> SERVER_BUSY_READ: The attacker can just use a URL that accepts POST 
> requests and send the request body very slowly. These connections
> have 
> the state SERVER_BUSY_WRITE. This problem affects mod_antiloris and 
> mod_noloris, too (but not mod_reqtimeout).
> Maybe another state SERVER_BUSY_READ_BODY could be introduced? Or the 
> state could be changed to SERVER_BUSY_READ again when the request
> body 
> is read? I haven't checked how difficult this would be, though.

Yeah, that part sucks.

But the real deal is that there is a finite amount of resources we have
(be that sockets, threads or processes) and we need to decide how we are
willing to dole these out.


View raw message