httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Crazy slowloris mitigation patch
Date Sun, 18 Oct 2009 08:37:31 GMT
On Sunday 18 October 2009, Bojan Smojver wrote:
> The idea here is that a busy server is highly unlikely to be stuck
> reading using all its children over a maintenance interval (i.e. we
> expect at least one of those readers to turn into something else
>  during the interval).

An attacker can easily circumvent this by opening one connection that 
slowly downloads a large file. Checking for a certain percentage of 
all children would be better.

However, there is a real problem with all approaches that look for 
SERVER_BUSY_READ: The attacker can just use a URL that accepts POST 
requests and send the request body very slowly. These connections have 
the state SERVER_BUSY_WRITE. This problem affects mod_antiloris and 
mod_noloris, too (but not mod_reqtimeout).

Maybe another state SERVER_BUSY_READ_BODY could be introduced? Or the 
state could be changed to SERVER_BUSY_READ again when the request body 
is read? I haven't checked how difficult this would be, though.

Mime
View raw message