httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: DOS-Protection: RequestReadTimeout-like option missing
Date Thu, 23 May 2013 15:03:05 GMT


Am 23.05.2013 15:14, schrieb Dirk-Willem van Gulik:
> On 11 May 2013, at 20:26, Reindl Harald <h.reindl@thelounge.net> wrote:
> 
>> after the connection is established and in case of connect
>> you have already passed the TCP transmissions and kernel
>> settings like
>>
>> net.ipv4.tcp_fin_timeout = 5
>> net.ipv4.tcp_retries1 = 5
>> net.ipv4.tcp_syn_retries = 5
>> net.ipv4.tcp_synack_retries = 5
> 
> The way I usually deal with this is three fold - and I think that it a) behoves apache/traffic
servr to allow admins to configure this in widely varying ways while b) have somewhat sane
middle of the road settings.
> 
>
> So am doubtful if this sort of knowledge should be part of the default. 
> 
> Think that those settings should be fairly conservative - designed to work in a wide
range of settings. 
> 
> Even if that means you can hog resources remotely with relative ease - as it is hard
to 
> know ahead of time if this is a enterprise-server sending large java generated blobs
to people on a local LAN or a small server doing short ajax-y replies to mobile clients with
10's of seconds idleness in lots of parallel connections.
> 
> Just my 2 pence

in case of get not a single byte after the TCP connection is established and
*not a single byte sent* this all doe snot matter and at least it should be
configureable to close such connections after XX seconds not sending a single
byte instead overload NAT-routers in front of the server easily


Mime
View raw message