httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: DOS-Protection: RequestReadTimeout-like option missing
Date Sat, 11 May 2013 18:51:29 GMT

Am 11.05.2013 20:26, schrieb Eric Covener:
>> "CONFIG proxy.config.net.defer_accept INT 1" of Trafficserver
>> is a damned good idea in such cases - in real life it takes
>> never longer than 1 second and even if - it's configureable
> 
> Seems to have started that way:
> 
> https://issues.apache.org/bugzilla/show_bug.cgi?id=41270
> 
> I think I misinterpreted what the setting meant in the same way people
> do in the bug.   It's awfully confusing.
> 
>        TCP_DEFER_ACCEPT (since Linux 2.4)
>               Allow a listener to be awakened only when data arrives
> on the socket.  Takes an integer value (seconds), this can bound the
> maximum number  of  attempts
>               TCP will make to complete the connection.  This option
> should not be used in code intended to be portable.
> 
> So maybe the value pulls double duty?  What does deferring the accept
> until data arrives have to do with how long / many times / ??? you'll
> wait for the TCP handshake to complete?

https://issues.apache.org/bugzilla/show_bug.cgi?id=41270 is most likely
unrelated to the problem i see, but nobody and nothing needs 30 seconds
to complete a TCP connection, most requests including the time of a
php-script does not take more than 0.5 seconds at all

i am really not sure *what exactly* is repsonsible that Trafficserver
closes a "telnet host 80" after 3 seconds of inactivity *but* that is
way better looking at the big picture which components (HW and SW)
are involved if you are under a DOS attack

however, about what i speak here is *for sure* not wait for the
TCP handshake to complete because the connection is established
log ago and stays open way too long, 10 years ago i kicked
akamai-nodes out of the net with a php-5-liner confirmed by a
friend on a different ISP that it accepts no longer connections
and these days even apacke-prefork should defend this

[harry@srv-rhsoft:~]$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

you get the response "Connected to localhost" immediately after
hit enter and from this moment the connection is present way
too long without ever got a single byte from the client




Mime
View raw message