httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Boyington" <g...@regex.ca>
Subject Re: [users@httpd] How to prevent from simple DoS?
Date Sun, 18 Nov 2007 16:02:21 GMT
On Nov 18, 2007 10:32 AM, Joshua Slive <joshua@slive.ca> wrote:
> On Nov 18, 2007 10:28 AM, Ben Macintosh <bmac.list@gmail.com> wrote:
> > Hi
> > I'm currently facing a problem which I can't find any help for.
> > Every once in a while, my webserver doesn't respond to requests
> > anymore, i.e. the browser simply keeps on loading but doesn't get any
> > data.
> >
> > Using the status mod I found that in such a situation every possible
> > "slot" is being used by requests staying in "..reading.." status.
> > After restarting apache all the pending requests get processed but
> > after a few seconds all the slots are being blocked by the
> > "..reading.." status again.
> >
> > After some tests I could reproduce the situation with simply
> > initiating multiple telnet session to the webserver without sending
> > any data. Every such request blocks a slot for the default timeout of
> > 300 seconds.
> >
> > Is this common behaviour? If so, how to prevent it?
> > As I understand the issue it's a very simple DoS as it neither does
> > require a lot of cpu nor bandwidth on the client side.
>
> See:
> http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos
>
> The standard solution is a simple firewall rule to control number of
> connections per ip at some reasonable level.
>
> Joshua.

I like the firewall approach myself, as it seems likely that anyone
with malicious intent (as distinct from the uninformed download
accelerator user, etc) should forfeit their rights to your bandwidth
regardless of protocol.  But for a purely apache solution, have a look
at mod_access ( http://httpd.apache.org/docs/2.0/mod/mod_access.html
).

-G

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message