httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Testuser <toximoron...@yahoo.co.uk>
Subject Re: [users@httpd] How to prevent from simple DoS?
Date Thu, 22 Nov 2007 16:13:59 GMT
Joshua Slive <joshua@slive.ca> wrote:
Apache httpd does log when a connection hits a TimeOut. (Or if it
doesn't, that is certainly a bug that should be reported.) So I don't
really understand the premise here.
If you hit the timeout, the request is logged in the error log at loglevel error.
That much is true. But it is not very difficult to work around the timeout. 
It is usually reset after every TCP package as it is being recieved. Even for
the header phase on those apache servers I checked. (However, the 
documentation advertises "The total amount of time it takes to receive a GET
request.")

If I work around the timeout n times and finally send a valid request,
then I am able to block a thread/process for n * timeout - 1 and nothing
appears in the logfile. There are the header limit directives, but it is
hardly possible to set them to very low values and besides: who 
cares about headers, when there is a request body do be slowed down.

As a sidenote: netstat on Linux reveals a few interesting timing infos.
Other operation systems seem to be less verbose in this regard.

       
---------------------------------
 For ideas on reducing your carbon footprint visit Yahoo! For Good this month.
Mime
View raw message