httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: DOS-Protection: RequestReadTimeout-like option missing
Date Sat, 11 May 2013 14:33:45 GMT
maybe better shown with a PHP script witout need to enter anything
my input / output to both server-types and php-cli-script below

both, httpd and trafficserver are vulnerable in different ways
if both projects could combine their behavior would be great
so i send this message also to httpd-dev

httpd "win's" in case of a request sending "GET / HTTP/1.1" and
nothing more, Trafficserver waits "transaction_no_activity_timeout_in"
while only connecting is better suited by "accept_no_activity_timeout"

"transaction_no_activity_timeout_in" has IMHO a bug and should *not*
close the connection while wait for the response of the origin
server which makes it impossible to set it lower than 60 seconds
without damage web applications like upload a zip-archive with
images, unpack and import them in a gallery as example
_____________________________________

httpd 2.4.4: RequestReadTimeout "header=10-15,MinRate=500"

[harry@srv-rhsoft:~/Desktop]$ ./http-timeout.php localhost
localhost
test with request: 10 seconds
test without request: 41 seconds
_____________________________________

trafficserver 3.2.4: http.transaction_no_activity_timeout_in INT 60

[harry@srv-rhsoft:~/Desktop]$ ./http-timeout.php proxy
proxy
test with request: 60 seconds
test without request: 3 seconds
_____________________________________

[harry@srv-rhsoft:~/Desktop]$ cat http-timeout.php
#!/usr/bin/php
<?php
 if(!empty($argv[1]))
 {
  $host = $argv[1];
 }
 else
 {
  $host = 'localhost';
 }
 $errno = 0;
 $errstr = '';
 echo $host . "\n";
 echo "test with request: ";
 flush();
 $start = time();
 $fp = fsockopen ($host, '80', $errno, $errstr, 180);
 fwrite($fp, "echo 'GET / HTTP/1.1\n");
 while (!feof($fp))
 {
  $buffer = fgets($fp, 128);
 }
 echo (time() - $start) . " seconds\n";
 flush();
 echo "test without request: ";
 flush();
 $start = time();
 $fp = fsockopen ($host, '80', $errno, $errstr, 180);
 while (!feof($fp))
 {
  $buffer = fgets($fp, 128);
 }
 echo (time() - $start) . " seconds\n";
 flush();
?>

Am 11.05.2013 15:08, schrieb Reindl Harald:
> Hi
> 
> http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
> i am missing such a option for Trafficserver
> this would mitigate a lot of Slowloris-like DOS-attacks
> 
> <IfModule mod_reqtimeout.c>
>  RequestReadTimeout "header=10-15,MinRate=500"
> </IfModule>
> ____________________________________________________
> 
> the same request as below is terminated by httpd after 10 seconds
> while Trafficserver waits "no_activity_timeout" to close it
> 
> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
> 
> is in no way compareable, because if you lower this to 10 seconds
> you kill any request targeted to a longer running PHP script on
> the origin server what happens application and load-dependent
> 
> httpd does even not terminate the following script with
> "Timeout 30" and "RequestReadTimeout" with setting above
> 
> <?php
>  sleep(90);
>  echo 'TEST';
> ?>
> ____________________________________________________
> 
> [harry@srv-rhsoft:~/Desktop]$ ./timeout.sh
> Sa 11. Mai 14:50:43 CEST 2013
> Trying 10.0.0.4...
> Connected to proxy.
> Escape character is '^]'.
> GET / HTTP/1.1
> Connection closed by foreign host.
> Sa 11. Mai 14:51:46 CEST 2013
> 
> [harry@srv-rhsoft:~/Desktop]$ ./timeout.sh
> Sa 11. Mai 15:00:37 CEST 2013
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET / HTTP/1.1
> HTTP/1.1 408 Request Timeout
> Server: Apache
> Content-Length: 545
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> Connection closed by foreign host.
> Sa 11. Mai 15:00:48 CEST 2013
> ____________________________________________________
> 
> that is the test-script
> after call it simply paste "GET / HTTP/1.1" in the telnet
> session and press enter and look how long timeout takes
> 
> [harry@srv-rhsoft:~/Desktop]$ cat timeout.sh
> #!/bin/bash
> date
> telnet localhost 80
> date


Mime
View raw message