httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo>
Subject Re: [users@httpd] PHP as CGI: Denial of Service?
Date Wed, 29 Sep 2004 08:00:19 GMT
* Florian Effenberger <> wrote:

> PHP set up as CGI (either with binfmt and suEXEC or via suPHP) can
> expose your system to a denial of service attack. Even a very simple
> page like
> <? echo "Hello world"; ?>
> can bog down a server completely if the reload button on the browser is
> pressed continously for some seconds. I already tried the RMax
> directives in httpd.conf and the memory limit in php.ini, but it does
> not seem to work, it is just being ignored.

I don't buy that.

Anyway, you *cannot* prevent a public service from being dosed. You can
lower the issue by:

 - using more or better hardware
 - playing with MaxClients etc.
 - consider to remove PHP
 - using a caching proxy or something

All those possibilities won't prevent you from being dosed. (e.g.lowering
MaxClients results just in an unresponsive server, even if the system itself
is ok -> DoS).

 - so finally: learn to live with it


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message