httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@links.org>
Subject Re: URL scanning by bots
Date Tue, 30 Apr 2013 18:38:22 GMT
On 30 April 2013 11:14, Reindl Harald <h.reindl@thelounge.net> wrote:
> Am 30.04.2013 12:03, schrieb André Warnier:
>> As a general idea thus, anything which impacts the delay to obtain a 404 response,
should
>> impact these bots much more than it impacts legitimate users/clients.
>>
>> How much ?
>>
>> Let us imagine for a moment that this suggestion is implemented in the Apache webservers,
>> and is enabled in the default configuration.  And let's imagine that after a while,
20% of
>> the Apache webservers deployed on the Internet have this feature enabled, and are
now
>> delaying any 404 response by an average of 1000 ms
>
> which is a invitation for a DDOS-attack because it would
> make it easier to use every available worker and by the
> delay at the same time active iptables-rate-controls
> get useless because you need fewer connections for the
> same damage
>
> no - this idea is very very bad and if you ever saw a
> DDOS-attack from 10 thousands of ip-addresses on a
> machine you maintain you would not consider anything
> which makes responses slower because it is the wrong
> direction

There's no reason to make this a DoS vector - clearly you can queue
all the delayed responses in a single process and not tie up available
processes. And if that process gets full, you just drop them on the
floor.

Mime
View raw message