httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] PHP as CGI: Denial of Service?
Date Thu, 30 Sep 2004 15:28:00 GMT
On Wed, 29 Sep 2004 10:27:01 +0200, Florian Effenberger <> wrote:

> Sorry, but I just can't accept that a server connected with 100 MBit/s
> to the net can be brought down by a client connected with a 128 KBit/s
> upstream. This is a simple plain script that just prints out Hello
> world. I even left out most libraries in the PHP compile!

It is a fairly trivial excercise to tie up a webserver with very
little bandwidth from the client side.  It can be done even if all the
files on the server are static.  This is partly due to the processing
model used by apache (one thread/process per connection) and partly
due to the inherent facts of life of the internet.

The best way to protect against that is to use software/hardware
designed for the job: a firewall.  A good firewall can limit the
number of connections from any particular client, rendering this type
of attack impossible.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message