httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: URL scanning by bots
Date Wed, 01 May 2013 00:31:51 GMT
Ben Laurie wrote:
> On 30 April 2013 11:29, Graham Leggett <> wrote:
>> On 30 Apr 2013, at 12:03 PM, André Warnier <> wrote:
>>> The only cost would a relatively small change to the Apache webservers, which
is what my
>>> suggestion consists of : adding a variable delay (say between 100 ms and 2000
ms) to any
>>> 404 response.
>> This would have no real effect.
>> Bots are patient, slowing them down isn't going to inconvenience a bot in any way.
The simple workaround if the bot does take too long is to simply send the requests in parallel.
> Disagree. Raising the bar reduces volume.
> In general, I hate the argument that improvement X has obvious
> workaround A and therefore we should not bother with it. It's
> absolutely impossible to make forward progress in security with that
> attitude. Every defence is defeatable (says experience) yet some are
> still worth putting in place.

Thank you for putting this succintly.
That is exactly the point of my proposal : raising the bar.

Honestly, I do not know by how much it would raise the bar, nor how much it would have as

an effect in general. It just seems to me like an idea that may be worth trying, or at 
least really evaluated "scientifically", to verify my many assumptions and approximations.

I just cannot think of how to do this practically, without actually rolling it out on a 
sufficient number of servers, and involving some organisation that has the infrastructure

and the tools to measure the impact.

View raw message