httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: DoS with mod_deflate & range requests
Date Thu, 25 Aug 2011 06:21:26 GMT
On Thursday 25 August 2011, Jim Jagielski wrote:
> OK then… we seem to be coalescing into some consensus here…
> basically, if the client sends stuff which is brain-dead stupid,
> we simply 2000 and send the whole kit-and-kaboodle.
> 
> I'd like to propose that we update the byterange filter to perform
> the following:
> 
>   o coalesce all adjacent ranges, whether overlapping or not.
>     (eg: 200-250,251-300 & 200-250,220-300 both merge to 200-300)

This may still confuse a broken client. Maybe we could omit that from 
the 2.2 patch for now and only commit to 2.3.

>   o We count:
>      > the number of times a gap between ranges is <80bytes
>      > the number of times we hit a descendent range
>        (eg: 200-1000,2000-3000,1200-1500,4000-5000 would count as
> 1) > the number of ranges total (post ascending merge)
>     If any >= some config-time limit, we send a 200
> 
> This is a start and was chosen simply for ease of implementation…
> We can then expand it to be more functional…
> 
> Comments?

Please also look at the patch at

http://mail-archives.apache.org/mod_mbox/httpd-
dev/201108.mbox/%3C201108250138.49474.sf@sfritsch.de%3E

which greatly reduces the memory needed for the range requests.
BTW, I won't have time to beat that into shape today. If anyone else 
has, please go ahead.

Mime
View raw message