From dev-return-66403-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Fri Oct 16 03:36:58 2009
Return-Path: <dev-return-66403-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 59608 invoked from network); 16 Oct 2009 03:36:58 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 16 Oct 2009 03:36:58 -0000
Received: (qmail 98667 invoked by uid 500); 16 Oct 2009 03:36:57 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 98494 invoked by uid 500); 16 Oct 2009 03:36:56 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 98484 invoked by uid 99); 16 Oct 2009 03:36:56 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Oct 2009 03:36:56 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of bojan@rexursive.com designates 150.101.121.179 as permitted sender)
Received: from [150.101.121.179] (HELO beauty.rexursive.com) (150.101.121.179)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Oct 2009 03:36:48 +0000
Received: from [10.1.120.24] (shrek.rexursive.com [10.1.120.24])
	by beauty.rexursive.com (Postfix) with ESMTP id 53B398C071
	for <dev@httpd.apache.org>; Fri, 16 Oct 2009 14:36:26 +1100 (EST)
Subject: Re: Crazy slowloris mitigation patch
From: Bojan Smojver <bojan@rexursive.com>
To: dev@httpd.apache.org
In-Reply-To: <1255656705.4989.49.camel@shrek.rexursive.com>
References: <1255640418.4989.42.camel@shrek.rexursive.com>
	 <1255656705.4989.49.camel@shrek.rexursive.com>
Content-Type: multipart/mixed; boundary="=-HaPeEx2I9H2nOKE331CL"
Date: Fri, 16 Oct 2009 14:36:26 +1100
Message-Id: <1255664186.4989.51.camel@shrek.rexursive.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.3 (2.26.3-1.fc11) 
X-Virus-Checked: Checked by ClamAV on apache.org


--=-HaPeEx2I9H2nOKE331CL
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Fri, 2009-10-16 at 12:31 +1100, Bojan Smojver wrote:
> Slightly more sophisticated craziness attached.

OK, just a little bit cleaner this time.

-- 
Bojan

--=-HaPeEx2I9H2nOKE331CL
Content-Disposition: attachment; filename="httpd-kill_busy_read.patch"
Content-Type: text/x-patch; name="httpd-kill_busy_read.patch"; charset="UTF-8"
Content-Transfer-Encoding: 7bit

--- httpd-2.2.14/server/mpm/prefork/prefork.c	2009-02-01 07:54:55.000000000 +1100
+++ httpd-2.2.14-p/server/mpm/prefork/prefork.c	2009-10-16 13:55:28.764567473 +1100
@@ -803,6 +803,7 @@
     int free_slots[MAX_SPAWN_RATE];
     int last_non_dead;
     int total_non_dead;
+    static apr_time_t maxed_out = 0;
 
     /* initialize the free_list */
     free_length = 0;
@@ -856,12 +857,14 @@
          */
         ap_mpm_pod_signal(pod);
         idle_spawn_rate = 1;
+        maxed_out = 0;
     }
     else if (idle_count < ap_daemons_min_free) {
         /* terminate the free list */
         if (free_length == 0) {
             /* only report this condition once */
             static int reported = 0;
+            apr_time_t now = apr_time_now();
 
             if (!reported) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
@@ -870,6 +873,39 @@
                 reported = 1;
             }
             idle_spawn_rate = 1;
+
+            /* Flooded by intentionally slow requests (e.g. slowloris)?
+             * Give the legitimate clients one maintenance interval to
+             * finish with request reads, then cull if we are still
+             * maxed out. Crude, but seems to clear things out.
+             */
+            if (maxed_out) {
+                apr_time_t diff = now - maxed_out;
+
+                if (diff >= SCOREBOARD_MAINTENANCE_INTERVAL) {
+                    pid_t reader;
+
+                    for (i = 0; i < ap_daemons_limit; ++i) {
+
+                        ws = &ap_scoreboard_image->servers[i][0];
+
+                        if (ws->status == SERVER_BUSY_READ ||
+                            ws->status == SERVER_BUSY_KEEPALIVE) {
+
+                            reader = ap_scoreboard_image->parent[i].pid;
+
+                            ap_mpm_safe_kill(reader, SIGTERM);
+                            ap_log_error(APLOG_MARK, APLOG_INFO, 0,
+                                         ap_server_conf,
+                                         "Killed reader: %" APR_PID_T_FMT,
+                                         reader);
+                        }
+                    }
+                }
+            }
+            else {
+                maxed_out = now;
+            }
         }
         else {
             if (idle_spawn_rate >= 8) {
@@ -902,10 +938,13 @@
             else if (idle_spawn_rate < MAX_SPAWN_RATE) {
                 idle_spawn_rate *= 2;
             }
+
+            maxed_out = 0;
         }
     }
     else {
         idle_spawn_rate = 1;
+        maxed_out = 0;
     }
 }
 

--=-HaPeEx2I9H2nOKE331CL--