httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From fredk2 <fre...@gmail.com>
Subject Re: [users@httpd] Setting the Timeout directive to refrain a DoS attacks
Date Thu, 25 Jun 2009 13:14:26 GMT

Would'nt you think that a (simple) timer for the header could fend off some
of the effect.  Can't we assume that if it takes more than 3 second to enter
the header we do not want that client (i'll have to learn to type faster in
telnet :-).

Thanks - Fred


awarnier wrote:
> 
> fredk2 wrote:
>> Hi,
>> 
>> http://httpd.apache.org/docs/2.2/mod/core.html#timeout says:
>> 
>> The TimeOut directive currently defines the amount of time Apache will
>> wait
>> for three things
>> 1. The total amount of time it takes to receive a GET request
>> ...
>> 
>> 1. seems to be misleading, tests with "Timeout 3" does not appear very
>> effective.
>> For example:
>> GET / HTTP/1.1
>> Host: foo
>> <sleep 2s>
>> X-a: b
>> <sleep 2s>
>> ...
>> 
>> Such requests are not rejected after 3 seconds as expected.
>> Are we missing in Apache a timer for the header to complete ~
>> HeaderTimeout
>> 1?
>> 
> What you are describing above is exactly the way a "slowloris" 
> Denial-Of-Service attack works.
> On the majority of webservers, each such client locks up one child or 
> thread of the webserver, for as long as it takes to complete the request.
> It is quite difficult to fight this, because how do you then distinguish 
> a legitimate client that happens to have a slow internet connection ?
> 
> The item #1 above, is relative to the time between
> - the initial establishment of the TCP connection to Apache
> - and the arrival of the first byte of the HTTP request itself
> (the G of GET)
> That is to avoid another type of DOS attack.
> But how would Apache know in advance how many headers there are, or what 
> is "reasonable" as a time before a whole POST request is in ?
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Setting-the-Timeout-directive-to-refrain-a-DoS-attacks-tp24194473p24203038.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message