Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1B80710143 for ; Wed, 1 May 2013 08:08:58 +0000 (UTC) Received: (qmail 7670 invoked by uid 500); 1 May 2013 08:08:56 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 7573 invoked by uid 500); 1 May 2013 08:08:54 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 7501 invoked by uid 99); 1 May 2013 08:08:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 May 2013 08:08:52 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of margol@beamartyr.net designates 85.195.98.136 as permitted sender) Received: from [85.195.98.136] (HELO mail1.mirimar.net) (85.195.98.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 May 2013 08:08:46 +0000 Received: from [192.168.13.156] (bzq-80-23-58.static.bezeqint.net [82.80.23.58]) (authenticated bits=0) by mail1.mirimar.net (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id r4188KpC001756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 1 May 2013 10:08:22 +0200 Message-ID: <5180CD61.1060701@beamartyr.net> Date: Wed, 01 May 2013 11:08:01 +0300 From: Issac Goldstand User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: URL scanning by bots References: <517F96F0.3090004@ice-sa.com> <517F997C.6040606@thelounge.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on zaphod.mirimar.net X-Virus-Scanned: clamav-milter 0.96.5 at zaphod X-Virus-Status: Clean X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 On 30/04/2013 21:38, Ben Laurie wrote: > On 30 April 2013 11:14, Reindl Harald wrote: >> Am 30.04.2013 12:03, schrieb Andr� Warnier: >>> As a general idea thus, anything which impacts the delay to obtain a 404 response, should >>> impact these bots much more than it impacts legitimate users/clients. >>> >>> How much ? >>> >>> Let us imagine for a moment that this suggestion is implemented in the Apache webservers, >>> and is enabled in the default configuration. And let's imagine that after a while, 20% of >>> the Apache webservers deployed on the Internet have this feature enabled, and are now >>> delaying any 404 response by an average of 1000 ms >> >> which is a invitation for a DDOS-attack because it would >> make it easier to use every available worker and by the >> delay at the same time active iptables-rate-controls >> get useless because you need fewer connections for the >> same damage >> >> no - this idea is very very bad and if you ever saw a >> DDOS-attack from 10 thousands of ip-addresses on a >> machine you maintain you would not consider anything >> which makes responses slower because it is the wrong >> direction > > There's no reason to make this a DoS vector - clearly you can queue > all the delayed responses in a single process and not tie up available > processes. And if that process gets full, you just drop them on the > floor. > 1) You're still keeping TCP connections in your kernel which on an incredibly busy server are an important resource. 2) What do you mean "drop them on the floor"? You're going to let your real users suffer by getting dropped connections instead of a 404? At best, they'll just try again, to the same URL, producing another 404 that'll hang around for a long time. At worst, you're pissing off real people.