Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E9B10F10C for ; Sat, 4 May 2013 18:44:54 +0000 (UTC) Received: (qmail 26011 invoked by uid 500); 4 May 2013 18:44:54 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 25956 invoked by uid 500); 4 May 2013 18:44:54 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 25948 invoked by uid 99); 4 May 2013 18:44:54 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 May 2013 18:44:54 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of prvs=083691ffa1=micha@lenk.info designates 188.40.85.232 as permitted sender) Received: from [188.40.85.232] (HELO mx.lenk.info) (188.40.85.232) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 May 2013 18:44:46 +0000 Received: from [192.168.77.232] (port=55565 helo=mail.lenk.info) by mx.lenk.info with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1UYhRa-0007MX-0J for dev@httpd.apache.org; Sat, 04 May 2013 20:44:26 +0200 Received: from p4ff64ce7.dip0.t-ipconnect.de ([79.246.76.231] helo=[192.168.178.25]) by mail.lenk.info with esmtpsa (Cipher TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72 1) id 1UYhRU-0007l0-6u for ; Sat, 04 May 2013 20:44:20 +0200 Message-ID: <51855730.2010100@lenk.info> Date: Sat, 04 May 2013 20:45:04 +0200 From: Micha Lenk User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130116 Icedove/10.0.12 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: URL scanning by bots References: <517F96F0.3090004@ice-sa.com> <0028CAB3-663E-4FEF-B52C-0643D493167C@sharp.fm> <51804F41.90707@ice-sa.com> <5180606F.30105@ice-sa.com> <51837B65.1030309@yuhu.biz> In-Reply-To: X-Enigmail-Version: 1.4.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi, Am 03.05.2013 11:27, schrieb Dirk-Willem van Gulik: > FWIIW - the same sentiments where expressed when 'greylisting[1]' in > SMTP came in vogue. For small relays (speaking just from personal > experience and from the vantage of my own private tiny MTA's) that > has however not been the case. Greylisting did dampen things > significantly - and the effect lasts to this day. The main difference I see here is, that a SMTP server that uses greylisting really can close the client connection almost immediately with keeping minimal state, usually on cheap disk. So, until the client retries, neither the kernel nor any processes have to deal with the greylisting during the delay period. In HTTP this is totally different. You can't just return a temporary error code and assume that web browser will retry some reasonable moments later. For this reason you would have to delay the real HTTP response. And this has a substantial resource usage impact, as you have to maintain state across all operating system layers. The network stack needs to maintain the TCP connection open, the kernel needs to maintain an open socket for the server process, the server process needs to maintain an (some kind of) active HTTP request -- for every single delayed request. These resources would just wait for the delay timer to expire, so essentially hanging around without doing anything useful, and without changing any outcome of the actual HTTP transaction. As others already pointed out, this opens the doors for denial of service attacks by excessive resource usage. From a security point of view, you definitely don't want such HTTP response delays. Regards, Micha