httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject slowloris mitigation
Date Wed, 14 Apr 2010 20:46:55 GMT
When slowloris first hit the headlines, it generated bad press
for us: we offered no defence beyond raising your resource limits.
I hacked up mod_noloris as a stopgap solution, but it's
not really recommended for anything beyond ticking a box
labelled "defence against slowloris-type attacks".

Since then Stefan has given us mod_reqtimeout, which offers
an alternative defence, and a more satisfactory approach.
That means mod_noloris could be redundant before ever becoming
part of a release.

So what should we do with mod_noloris?
(a) Keep it and maintain it for users who want it
(b) Keep it in trunk for the interested but keep it
    out of released versions.
(c) Delete it altogether from svn?  If so, I'll keep
    it at webthing for anyone who really wants it.

Posted to users@ (as well as dev@) in case anyone wants to
report experiences - good or bad - on using it.

Nick Kew

View raw message