Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 77876 invoked from network); 18 Oct 2009 08:37:59 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Oct 2009 08:37:59 -0000 Received: (qmail 11420 invoked by uid 500); 18 Oct 2009 08:37:58 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 11346 invoked by uid 500); 18 Oct 2009 08:37:57 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 11335 invoked by uid 99); 18 Oct 2009 08:37:57 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 18 Oct 2009 08:37:57 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=BAYES_00 X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [188.40.99.202] (HELO eru.sfritsch.de) (188.40.99.202) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 18 Oct 2009 08:37:55 +0000 Received: from [10.1.1.6] (helo=k.localnet) by eruneu.sfritsch.de with esmtp (Exim 4.69) (envelope-from ) id 1MzRGe-0005m7-MP for dev@httpd.apache.org; Sun, 18 Oct 2009 10:37:32 +0200 From: Stefan Fritsch To: dev@httpd.apache.org Subject: Re: Crazy slowloris mitigation patch Date: Sun, 18 Oct 2009 10:37:31 +0200 User-Agent: KMail/1.12.2 (Linux/2.6.30-1-686; KDE/4.3.2; i686; ; ) References: <1255640418.4989.42.camel@shrek.rexursive.com> <1255851358.4989.62.camel@shrek.rexursive.com> In-Reply-To: <1255851358.4989.62.camel@shrek.rexursive.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200910181037.31497.sf@sfritsch.de> On Sunday 18 October 2009, Bojan Smojver wrote: > The idea here is that a busy server is highly unlikely to be stuck > reading using all its children over a maintenance interval (i.e. we > expect at least one of those readers to turn into something else > during the interval). An attacker can easily circumvent this by opening one connection that slowly downloads a large file. Checking for a certain percentage of all children would be better. However, there is a real problem with all approaches that look for SERVER_BUSY_READ: The attacker can just use a URL that accepts POST requests and send the request body very slowly. These connections have the state SERVER_BUSY_WRITE. This problem affects mod_antiloris and mod_noloris, too (but not mod_reqtimeout). Maybe another state SERVER_BUSY_READ_BODY could be introduced? Or the state could be changed to SERVER_BUSY_READ again when the request body is read? I haven't checked how difficult this would be, though.