httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: DoS with mod_deflate & range requests
Date Thu, 25 Aug 2011 11:41:35 GMT

On Aug 25, 2011, at 2:56 AM, Plüm, Rüdiger, VF-Group wrote:

> 
> 
>> -----Original Message-----
>> From: Stefan Fritsch 
>> Sent: Donnerstag, 25. August 2011 08:21
>> To: dev@httpd.apache.org
>> Subject: Re: DoS with mod_deflate & range requests
>> 
>> On Thursday 25 August 2011, Jim Jagielski wrote:
>>> OK then... we seem to be coalescing into some consensus here...
>>> basically, if the client sends stuff which is brain-dead stupid,
>>> we simply 2000 and send the whole kit-and-kaboodle.
>>> 
>>> I'd like to propose that we update the byterange filter to perform
>>> the following:
>>> 
>>>  o coalesce all adjacent ranges, whether overlapping or not.
>>>    (eg: 200-250,251-300 & 200-250,220-300 both merge to 200-300)
>> 
>> This may still confuse a broken client. Maybe we could omit that from 
>> the 2.2 patch for now and only commit to 2.3.
> 
> Sounds like a plan. Or make it configurable with a default of off in 2.2.x
> and on in 2.3.x
> 
>> 
>>>  o We count:
>>>> the number of times a gap between ranges is <80bytes
>>>> the number of times we hit a descendent range
>>>       (eg: 200-1000,2000-3000,1200-1500,4000-5000 would count as
>>> 1) > the number of ranges total (post ascending merge)
>>>    If any >= some config-time limit, we send a 200
>>> 
>>> This is a start and was chosen simply for ease of implementation...
>>> We can then expand it to be more functional...
>>> 
>>> Comments?
> 
> 
> Looks good. Plus we should implement the patch from Stefan below and then we
> should be good.
> 

++1 (see other thread: Fixing Ranges)


Mime
View raw message