httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marian Marinov ...@yuhu.biz>
Subject Re: URL scanning by bots
Date Wed, 01 May 2013 12:09:03 GMT
On 05/01/2013 03:00 PM, Reindl Harald wrote:
>
>
> Am 01.05.2013 13:51, schrieb André Warnier:
>> There is so far one possible pitfall, which was identified by someone earlier on
this list : the fact that delaying
>> 404 responses might have a bad effect on some particular kind of usage by legitimate
clients/users.  So far, I
>> believe that such an effect could be mitigated by the fact that this option could
be turned off, by any webserver
>> administrator with a modicum of knowledge
>
> do you really not understand it?
>
> anything which bring security risks and makes normal operations more
> fragile MUST NOT be the default behavior of a webserver
>
> and YES making DOS-attacks easier is treatet as security risk by any
> professional auditor and there where i work "threat middle" means
> "fix it or shut down the customers project" and the last  time i got
> this was by a not visible protection against Slowloris from the view
> of the security-scanner
> __________________________________________
>
> here you have something to read and learn that more and more attacks
> are done this way by exhausting ressources without high bandwith and
> THIS are the real problems server-admins have to fight and not the noise
> you see on your small site
>
> http://www.slashroot.in/slowloris-http-dosdenial-serviceattack-and-prevention
>

I have to agree that delaying 'malicious' requests is opening the servers to DoS attacks and
SHOULD NOT be the default!
This is not a solution to the problem. In fact what we have done was to automatically disable
the delaying during 
excessive usage.



Mime
View raw message